This repository has been archived by the owner on Nov 28, 2018. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(MCOP-600) Prevent public key overwriting attack via identity
When using two-way automatic public key distribution, each end writes the others `identity` as a public key file locally. No validation was done on the `identity`, so it could trigger directory traversal and allow the attacker to overwrite an unexpected file (like a trusted public key certificate). Prevent this by verifying identity does not result in traversing outside the intended distribution directory.
- Loading branch information
1 parent
ad56bb7
commit 3388a31
Showing
2 changed files
with
29 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters