From: Roy Marples <roy@marples.name>
Date: Sun, 24 May 2020 13:49:41 +0000 (+0100)
Subject: privsep: Avoid the /proc/../ escape
X-Git-Tag: v9.1.0~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e596404535f7a53e46403be039c16a5d05649b5;p=thirdparty%2Fdhcpcd.git

privsep: Avoid the /proc/../ escape
---

diff --git a/src/privsep-root.c b/src/privsep-root.c
index cba469db..5884357a 100644
--- a/src/privsep-root.c
+++ b/src/privsep-root.c
@@ -288,6 +288,11 @@ static bool
 ps_root_validpath(const struct dhcpcd_ctx *ctx, uint16_t cmd, const char *path)
 {
 
+	/* Avoid a previous directory attack to avoid /proc/../
+	 * dhcpcd should never use a path with double dots. */
+	if (strstr(path, "..") != NULL)
+		return false;
+
 	if (cmd == PS_READFILE) {
 		if (strcmp(ctx->cffile, path) == 0)
 			return true;