Re: [Qemu-devel] About a virtio 9p backend issue

Re: [Qemu-devel] About a virtio 9p backend issue

[Greg Kurz]

Le Wed, 10 Aug 2016 20:28:27 +0530 (IST),
P J P <ppandit@redhat.com> a écrit :

> +-- On Wed, 10 Aug 2016, Greg Kurz wrote --+
> | As Michael already pointed in a previous mail, this will break legal paths
> | with a component ending in ".." like "foo../bar". The fix should only ban
> | paths containing a component that is strictly equal to "..".
> 
>   But that would not fix the path traversal issue, would it? As in, one could 
> traverse the path like  foo/bar/../../bar1 ?
> 

Unless I've missed something, if you forbid all paths containing at least one
".." component, the path traversal issue is fixed, isn't it ? Something like
strstr(path, "/../") or paths starting with "../" or ending with "/.." ?

I don't expect the official linux driver to pass relative paths to QEMU, but
I cannot check this out. I guess you should verify that it is still possible
to use relative paths in the guest.

And what about the other backends, especially the proxy one ?

Also I realize this thread is private: please Cc qemu-devel when sending
your patch and don't forget to add appropriate Signed-off-by tags, as it
is mandatory for acceptance.

Thanks for chasing this issue. I think it's been there for a long time but
it would be great to have this fixed in 2.7.

Cheers.

--
Greg

> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F