oss-sec mailing list archives
Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb()
From: Matthias Gerstner <mgerstner () suse de>
Date: Tue, 3 Jul 2018 10:11:45 +0200
It might be a good idea to double-check that the result of g_file_get_path() starts with "/", doesn't contain "/../" and (just for completeness) doesn't end with "/..".
I tested the patch initially and and an isolated test case shows that it does cover all these cases. No system calls appear to be performed. Regards Matthias
Attachment:
signature.asc
Description:
Current thread:
- accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 02)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Jakub Wilk (Jul 02)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 02)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Simon McVittie (Jul 02)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 03)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Jakub Wilk (Jul 02)