diff options
| -rw-r--r-- | safepath.c | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -248,6 +248,18 @@ int safepath_check(const char *name) goto free_out; } + /* We check the symlink ownership and declare a symlink + * not owned by us or root to be unsafe. This is particularly + * important in the case when the previous component is a + * sticky directory which we declared safe, similar to /tmp. + * Multiple users can create symlinks in /tmp or a /tmp-like + * directory, which could be used to subvert this function. + */ + if (st.st_uid != 0 && st.st_uid != geteuid()) { + ret = SAFEPATH_UNSAFE; + goto free_out; + } + if ((len = readlink(copy, link, sizeof link)) < 0) { ret = safepath_err(errno); goto free_out; |