diff options
| -rw-r--r-- | README.md | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -55,6 +55,21 @@ can be manipulated by a different user. Every level of symlink resolution must be performed by substitution, and a check of all the new components that are thus inserted into the path. +## Known caveats + +`safepath_check` accepts both relative and absolute paths. Checking +a relative path begins with the `"."` directory, whereupon it is implicitly +trusted that the process had safely changed to this directory somehow. +However, that may not be so. The process may have traversed an untrusted +directory or symlink when it performed the `chdir` call to change to the +current directory. One might think that calling `getcwd` and validating the +resulting absolute path with `safepath_check` is enough, but that may not be +so: a malicious link could misdirect into a directory which has a safe absolute +path. The user's application could thereby be fooled into accessing or +modifying data, which the user owns, but which is not the intended target +of the access. If relative paths are used, it's recommended to first change to +desired directory using an absolute path which is checked for safety. + ## License `safepath` is offered under the two-clause BSD license. See the copyright |