From: Andrew Tridgell <andrew@tridgell.net>
Date: Mon, 25 Nov 2024 22:16:31 +0000 (+1100)
Subject: disallow ../ elements in relpath for secure_relative_open
X-Git-Tag: v3.4.0~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa;p=thirdparty%2Frsync.git

disallow ../ elements in relpath for secure_relative_open
---

diff --git a/syscall.c b/syscall.c
index cffc814b..081357bb 100644
--- a/syscall.c
+++ b/syscall.c
@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
   must be a relative path, and the relpath must not contain any
   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
   applies to all path components, not just the last component)
+
+  The relpath must also not contain any ../ elements in the path
 */
 int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
 {
@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
 		errno = EINVAL;
 		return -1;
 	}
+	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+		// no ../ elements allowed in the relpath
+		errno = EINVAL;
+		return -1;
+	}
 
 #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
 	// really old system, all we can do is live with the risks