oss-sec mailing list archives

Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb()

From: Matthias Gerstner <mgerstner () suse de>
Date: Tue, 3 Jul 2018 10:11:45 +0200

It might be a good idea to double-check that the result of
g_file_get_path() starts with "/", doesn't contain "/../" and (just for
completeness) doesn't end with "/..".


I tested the patch initially and and an isolated test case shows that it
does cover all these cases. No system calls appear to be performed.

Regards

Matthias

Attachment: signature.asc
Description:

Current thread:

accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 02)
- Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Jakub Wilk (Jul 02)
  - Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 02)
    - Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Jakub Wilk (Jul 20)
  - Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Simon McVittie (Jul 02)
    - Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() Matthias Gerstner (Jul 03)