Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Folder escape via versioning symlinks #4286

Closed
calmh opened this issue Aug 7, 2017 · 2 comments
Closed

Folder escape via versioning symlinks #4286

calmh opened this issue Aug 7, 2017 · 2 comments
Labels
bug A problem with current functionality, as opposed to missing functionality (enhancement) frozen-due-to-age Issues closed and untouched for a long time, together with being locked for discussion

Comments

@calmh
Copy link
Member

calmh commented Aug 7, 2017
edited

Syncthing erronously versions symlinks when they are deleted. If a directory is then created with the same name, a file created in that directory, and the file deleted, it is moved into the symlink target.
@calmh calmh added the bug A problem with current functionality, as opposed to missing functionality (enhancement) label Aug 7, 2017
@calmh calmh added this to the Planned milestone Aug 7, 2017
calmh added a commit that referenced this issue Aug 8, 2017
@calmh
lib/model, lib/versioner: Prevent symlink attack via versioning (fixes
a0f771c 
…#4286)

Prior to this, the following is possible:

- Create a symlink "foo -> /somewhere", it gets synced
- Delete "foo", it gets versioned
- Create "foo/bar", it gets synced
- Delete "foo/bar", it gets versioned in "/somewhere/bar"

With this change, versioners should never version symlinks.
@calmh calmh closed this as completed in f1f21bf Aug 8, 2017
@calmh calmh changed the title Placeholder issue Folder escape via versioning symlinks Aug 8, 2017
calmh added a commit that referenced this issue Aug 8, 2017
@calmh
lib/model, lib/versioner: Prevent symlink attack via versioning (fixes
1f09488 
…#4286)

Prior to this, the following is possible:

- Create a symlink "foo -> /somewhere", it gets synced
- Delete "foo", it gets versioned
- Create "foo/bar", it gets synced
- Delete "foo/bar", it gets versioned in "/somewhere/bar"

With this change, versioners should never version symlinks.
@thekoma thekoma mentioned this issue Aug 8, 2017
Closed
calmh added a commit that referenced this issue Aug 8, 2017
@calmh
Merge branch 'master' into release
8b2df44 
* master:
  lib/versioner: Clean the versions dir of symlinks, not the full folder
  lib/model: Disable symlink attack test on Windows
  lib/model, lib/versioner: Prevent symlink attack via versioning (fixes #4286)
  gui: Add title attributes for shared devices/folders
@lfam lfam mentioned this issue Aug 16, 2017
Closed
viable-hartman pushed a commit to viable-hartman/syncthing that referenced this issue Aug 25, 2017
@calmh @viable-hartman
lib/model, lib/versioner: Prevent symlink attack via versioning (fixes
6f44119 
…syncthing#4286)

Prior to this, the following is possible:

- Create a symlink "foo -> /somewhere", it gets synced
- Delete "foo", it gets versioned
- Create "foo/bar", it gets synced
- Delete "foo/bar", it gets versioned in "/somewhere/bar"

With this change, versioners should never version symlinks.
@abergmann
Copy link

CVE-2017-1000420 was assigned to this issue.
https://nvd.nist.gov/vuln/detail/CVE-2017-1000420

@calmh
Copy link
Member Author

calmh commented Jan 3, 2018

Yep, thanks.

@st-review st-review added the frozen-due-to-age Issues closed and untouched for a long time, together with being locked for discussion label Aug 8, 2018
@syncthing syncthing locked and limited conversation to collaborators Aug 8, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug A problem with current functionality, as opposed to missing functionality (enhancement) frozen-due-to-age Issues closed and untouched for a long time, together with being locked for discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@calmh @abergmann @st-review