On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote:
> $ bash --version<br />GNU bash, version 4.2.8(1)-release
> (x86_64-pc-linux-gnu)<br /><br />$ bash --version<br />GNU bash,
> version 4.0.28(1)-release (i386-pc-solaris2.8)<br /><br />Bash fails
> to normalize path starting starting with "//" and will consider "/"
> and "//" to be different paths:<br /><br />$ cd /tmp && pwd<br
> />/tmp<br />$ cd //tmp && pwd<br />//tmp<br /><br />Scripts
> which do path normalization by:<code><span class="pln"><br
> />normalDir</span><span class="pun">=</span><span class="str">`cd
> "${dirToNormalize}";pwd`</span></code><br /><br />and check it against
> blacklists are vulnerable.
>
You've mistaken a feature for a bug.
The following quote is from IEEE Std 1003.1, 2004 Edition:
A pathname consisting of a single slash shall resolve to the root
directory of the process. A null pathname shall not be successfully
resolved. A pathname that begins with two successive slashes may be
interpreted in an implementation-defined manner, although more than
two leading slashes shall be treated as a single slash.
http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap04.html#tag_04_11
Bash has chosen to maintain the // version of a path in case the rest
of the system chooses to do something clever with it (such as automount
network shares).
Checking blacklists are more of a usability feature than a security
feature; if it were a security feature, it'd be a whitelist.
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
