summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaz Kylheku <kaz@kylheku.com>2022-07-30 16:06:04 -0700
committerKaz Kylheku <kaz@kylheku.com>2022-07-30 16:06:04 -0700
commit01e1dc8af54375c50e2cf8889a58a781b42bcae3 (patch)
tree39cf9b6fcc16e6a8786fb406232d5b99bc6e6829
parent49255506f37ba61514c55b2f8bd6515ba1cae3c3 (diff)
downloadtxr-01e1dc8af54375c50e2cf8889a58a781b42bcae3.tar.gz
txr-01e1dc8af54375c50e2cf8889a58a781b42bcae3.tar.bz2
txr-01e1dc8af54375c50e2cf8889a58a781b42bcae3.zip
path-components-safe: check symlink link count.
* stdlib/path-test.tl (path-components-safe): Reject symlinks that have a link count not equal to one. This looks suspiciously like a hard link attack.
-rw-r--r--stdlib/path-test.tl5
1 files changed, 3 insertions, 2 deletions
diff --git a/stdlib/path-test.tl b/stdlib/path-test.tl
index 55b5e842..ceb83c3a 100644
--- a/stdlib/path-test.tl
+++ b/stdlib/path-test.tl
@@ -222,8 +222,9 @@
(if (> (inc count) 16)
(throwf 'file-error "~a: too many symbolic links"
'path-components-safe))
- (if (or (zerop st.uid)
- (eql st.uid (geteuid)))
+ (if (and (eql 1 st.nlink)
+ (or (zerop st.uid)
+ (eql st.uid (geteuid))))
(let* ((target (readlink nxpath))
(abs-p (abs-path-p target))
(tcomps (remqual "" (sspl path-sep-chars target))))