Limited dir traversal in DiskFile()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Low
|
Vincent Untz |
Bug Description
And another one from Sebastian Krahmer / SUSE.
Sebastian Krahmer 2012-05-07 14:57:33 CEST
The DiskFile() that is constructed in POST/PUT requests etc.
uses user input to construct path names, where "device"
could be ../../../../etc and as a result any created files
are inside /etc or similar directories where it does not belong to.
Sebastian Krahmer 2012-05-16 10:50:49 CEST
(In reply to comment #10)
> re Comment 1:
>
> it can be triggered like this
> curl -X__init__
> "http://
> (note that the words are literals and do not need to be substituted)
>
> The object server simply sends back a 500 response with a backtrace and lives
> on.
> Note that the object server relies on the proxy server for authorization, so if
> one can access the port, I assume one can play at will.
>
> For example, overwriting a file:
>
> curl -H "x-timestamp: `date +%s`" -d hello
> "http://
Also note that you could add '../' instead of some of these directory
components (sdb1 or AUTH_...) so you can overwrite files that dont
belong to swift or object storage at all.
summary: |
- dir traversal in DiskFile() + Limited dir traversal in DiskFile() |
Changed in swift: | |
importance: | Medium → Low |
Changed in swift: | |
status: | Fix Committed → In Progress |
Changed in swift: | |
milestone: | none → 1.6.0 |
status: | Fix Committed → Fix Released |
I think there are two aspects to this.
(1) DiskFile could be strengthened "../../ ../etc/ moo" due to the way split_path works. And the other path elements are not directly used to build a path. You *could* pass device=".." but I doubt that's exploitable due to how DiskFile ultimately maps to a precise file. That said, I agree that preventing even limited traversal is certainly a good thing to do. Keeping this bug open to track that.
You can't really pass device=
(2) Object/ Container/ Account servers are blindly open to potentially- damaging requests. Anyone with direct access to those can create havoc, since the requests are not authenticated in any way. I think this is by design... suggestions on how to improve that and keep horizontal scalability ?
Depending on how discussion on that second part goes, we may open a separate bug to track that.