mhttpd serves /etc/passwd

Stefan Ritt

I confirm the problem.

The tricky question is how to fix it. At the moment, we have open_resource_file() which looks for a requested file in different locations. It checks the file itself, so "/etc/passwd" is actually checked as "/etc/passwd", then it checks it under "/Experiment/Resources", then relative to MIDAS_DIR, then relative to MIDASSYS. If we use custom pages, then "/Custom/Path" (in the ODB) is checked as well, and if one sets this value to "/", everything is searched under the root file system. Possible solutions I see are the following:

0) Do the file checking inside open_resource_file() in one central place. This avoids problems with %2F & friends escape sequences in the URL. 1) Only search under MIDASSYS and the current experiment directory which gets returned via cm_get_path(). This avoids retrieving files from any other location, but eliminates the ODB entries "/Experiment/Resources" and "/Custom/Path". 2) Check all file paths to start with "/etc", "/var", "/log", "/usr" etc. This is pretty tedious and incomplete. Some midas experiments live under /usr/home/<name> so we have to allow /usr, leading to the leak that one can retrieve files from other users. So I don't really see how this should work.

Any comments? I guess we should ensure 0) and then go with 1), but it will break experiments which use "/Custom/Path" not being set to the experiment directory.

Stefan

2019-01-08T12:25:00+00:00

Comments (3)

Stefan Ritt
I confirm the problem.

The tricky question is how to fix it. At the moment, we have open_resource_file() which looks for a requested file in different locations. It checks the file itself, so "/etc/passwd" is actually checked as "/etc/passwd", then it checks it under "/Experiment/Resources", then relative to MIDAS_DIR, then relative to MIDASSYS. If we use custom pages, then "/Custom/Path" (in the ODB) is checked as well, and if one sets this value to "/", everything is searched under the root file system. Possible solutions I see are the following:

0) Do the file checking inside open_resource_file() in one central place. This avoids problems with %2F & friends escape sequences in the URL. 1) Only search under MIDASSYS and the current experiment directory which gets returned via cm_get_path(). This avoids retrieving files from any other location, but eliminates the ODB entries "/Experiment/Resources" and "/Custom/Path". 2) Check all file paths to start with "/etc", "/var", "/log", "/usr" etc. This is pretty tedious and incomplete. Some midas experiments live under /usr/home/<name> so we have to allow /usr, leading to the leak that one can retrieve files from other users. So I don't really see how this should work.

Any comments? I guess we should ensure 0) and then go with 1), but it will break experiments which use "/Custom/Path" not being set to the experiment directory.

Stefan
- 2019-01-08T12:25:00+00:00
dd1 reporter
original problem is fixed: a) "/" is no longer added to file names when /Custom/Path is blank ("/etc/passwd" is now "etc/passwd"), b) "/" in file names is rejected, "etc/passwd" is rejected, c) value "/" for /Custom/Path is explicitly not permitted. K.O.
- 2019-03-05T17:43:21+00:00
dd1 reporter
- changed status to resolved
fixed as of tag midas-2019-03-b. K.O.
- 2019-03-05T17:43:40+00:00
Log in to comment