mhttpd serves /etc/passwd

Issue #159 resolved
dd1 created an issue

https://daq16.triumf.ca/etc/passwd returns the contents of daq16's /etc/passwd. disaster. (I did set /Custom/Path to "" (blank) or my /Custom links did not work). K.O.

Comments (3)

  1. Stefan Ritt

    I confirm the problem.

    The tricky question is how to fix it. At the moment, we have open_resource_file() which looks for a requested file in different locations. It checks the file itself, so "/etc/passwd" is actually checked as "/etc/passwd", then it checks it under "/Experiment/Resources", then relative to MIDAS_DIR, then relative to MIDASSYS. If we use custom pages, then "/Custom/Path" (in the ODB) is checked as well, and if one sets this value to "/", everything is searched under the root file system. Possible solutions I see are the following:

    0) Do the file checking inside open_resource_file() in one central place. This avoids problems with %2F & friends escape sequences in the URL. 1) Only search under MIDASSYS and the current experiment directory which gets returned via cm_get_path(). This avoids retrieving files from any other location, but eliminates the ODB entries "/Experiment/Resources" and "/Custom/Path". 2) Check all file paths to start with "/etc", "/var", "/log", "/usr" etc. This is pretty tedious and incomplete. Some midas experiments live under /usr/home/<name> so we have to allow /usr, leading to the leak that one can retrieve files from other users. So I don't really see how this should work.

    Any comments? I guess we should ensure 0) and then go with 1), but it will break experiments which use "/Custom/Path" not being set to the experiment directory.

    Stefan

  2. dd1 reporter

    original problem is fixed: a) "/" is no longer added to file names when /Custom/Path is blank ("/etc/passwd" is now "etc/passwd"), b) "/" in file names is rejected, "etc/passwd" is rejected, c) value "/" for /Custom/Path is explicitly not permitted. K.O.

  3. Log in to comment