Full Disclosure mailing list archives
Re: bash path normalization bug
From: Seth Arnold <seth.arnold () canonical com>
Date: Mon, 19 Nov 2012 11:00:43 -0800
On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote:
$ bash --version<br />GNU bash, version 4.2.8(1)-release (x86_64-pc-linux-gnu)<br /><br />$ bash --version<br />GNU bash, version 4.0.28(1)-release (i386-pc-solaris2.8)<br /><br />Bash fails to normalize path starting starting with "//" and will consider "/" and "//" to be different paths:<br /><br />$ cd /tmp && pwd<br />/tmp<br />$ cd //tmp && pwd<br />//tmp<br /><br />Scripts which do path normalization by:<code><span class="pln"><br />normalDir</span><span class="pun">=</span><span class="str">`cd "${dirToNormalize}";pwd`</span></code><br /><br />and check it against blacklists are vulnerable.
You've mistaken a feature for a bug. The following quote is from IEEE Std 1003.1, 2004 Edition: A pathname consisting of a single slash shall resolve to the root directory of the process. A null pathname shall not be successfully resolved. A pathname that begins with two successive slashes may be interpreted in an implementation-defined manner, although more than two leading slashes shall be treated as a single slash. http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap04.html#tag_04_11 Bash has chosen to maintain the // version of a path in case the rest of the system chooses to do something clever with it (such as automount network shares). Checking blacklists are more of a usability feature than a security feature; if it were a security feature, it'd be a whitelist.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- bash path normalization bug Andris Berzins (Nov 19)
- Re: bash path normalization bug Seth Arnold (Nov 19)