Re: bash path normalization bug

[Seth Arnold <seth.arnold () canonical com>]

On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote:
> $ bash --version<br />GNU bash, version 4.2.8(1)-release
> (x86_64-pc-linux-gnu)<br /><br />$ bash --version<br />GNU bash,
> version 4.0.28(1)-release (i386-pc-solaris2.8)<br /><br />Bash fails
> to normalize path starting starting with "//" and will consider "/"
> and "//" to be different paths:<br /><br />$ cd /tmp &amp;&amp; pwd<br
> />/tmp<br />$ cd //tmp &amp;&amp; pwd<br />//tmp<br /><br />Scripts
> which do path normalization by:<code><span class="pln"><br
> />normalDir</span><span class="pun">=</span><span class="str">`cd
> "${dirToNormalize}";pwd`</span></code><br /><br />and check it against
> blacklists are vulnerable.

You've mistaken a feature for a bug.

The following quote is from IEEE Std 1003.1, 2004 Edition:

    A pathname consisting of a single slash shall resolve to the root
    directory of the process. A null pathname shall not be successfully
    resolved. A pathname that begins with two successive slashes may be
    interpreted in an implementation-defined manner, although more than
    two leading slashes shall be treated as a single slash.

http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap04.html#tag_04_11

Bash has chosen to maintain the // version of a path in case the rest
of the system chooses to do something clever with it (such as automount
network shares).

Checking blacklists are more of a usability feature than a security
feature; if it were a security feature, it'd be a whitelist.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/