basic: forbid rm_rf() to remove paths ending with ".." (#5653)

author Jan Synacek <jan.synacek@gmail.com>

Wed, 29 Mar 2017 06:25:52 +0000 (08:25 +0200)

committer Sven Eden <yamakuzure@gmx.net>

Tue, 25 Jul 2017 07:46:51 +0000 (09:46 +0200)
author Jan Synacek <jan.synacek@gmail.com>
Wed, 29 Mar 2017 06:25:52 +0000 (08:25 +0200)
committer Sven Eden <yamakuzure@gmx.net>
Tue, 25 Jul 2017 07:46:51 +0000 (09:46 +0200)
diff --git a/src/basic/rm-rf.c b/src/basic/rm-rf.c

index 94c67bae330ce067cfbdd6a0c013bf8cdcb9b425..565f240e120d0e6750eda66ffc91a0706fb616b1 100644 (file)
--- a/src/basic/rm-rf.c
+++ b/src/basic/rm-rf.c
@@ -190,6 +190,13 @@ int rm_rf(const char *path, RemoveFlags flags) {
          }
  
  #if 0 /// elogind does not support BTRFS this directly
+        /* Another safe-check. Removing "/path/.." could easily remove entire root as well.
+         * It's especially easy to do using globs in tmpfiles, like "/path/.*", which the glob()
+         * function expands to both "/path/." and "/path/..".
+         * Return -EINVAL to be consistent with rmdir("/path/."). */
+        if (endswith(path, "/..") || endswith(path, "/../"))
+                return -EINVAL;
+
          if ((flags & (REMOVE_SUBVOLUME|REMOVE_ROOT|REMOVE_PHYSICAL)) == (REMOVE_SUBVOLUME|REMOVE_ROOT|REMOVE_PHYSICAL)) {
                  /* Try to remove as subvolume first */
                  r = btrfs_subvol_remove(path, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
author	Jan Synacek <jan.synacek@gmail.com>
	Wed, 29 Mar 2017 06:25:52 +0000 (08:25 +0200)
committer	Sven Eden <yamakuzure@gmx.net>
	Tue, 25 Jul 2017 07:46:51 +0000 (09:46 +0200)