Traversing symlinks

Martin Geisler mg at lazybytes.net
Thu May 19 16:28:16 CDT 2011


Matt Mackall <mpm at selenic.com> writes:

> On Thu, 2011-05-19 at 21:25 +0200, Sune Foldager wrote:
>> On 19-05-2011 19:42, Matt Mackall wrote:
>>
>>> For bonus points, you've also broken checkouts on Windows. You may
>>> commence wearing a brown paper bag on your head... now.
>>
>> Bah... this is poisonous and arro... no wait. But seriously, this is
>> stupid. Let's be civil; no one's trying to steal your candy.
>
> On the other hand, I completely failed to get Martin (or Dominick) to
> stop and think yesterday; other more blunt methods were clearly called
> for.

No, it wasn't. I have worked with cryptography the last four years and I
have been teaching classes on practical security and software exploits.
So I know something about security and I *did* sit down to think about
any immediate problems with allowing symlink inside the tree.

I saw that Benoit asked you on IRC how you had disabled the symlink
check and you said

  <mpm> 21:58:11> "0 and"

That was of course *not* what I talked about -- I never suggested
completely disabling the check. That would be stupid... please don't
assume we're so stupid around here.

> But it's not meant to be mean-spirited.

I think you need to begin adding a lot of smileys to your mails. That
will help convey the right spirit. I love a good joke, even when it's on
me, but you need to deliver it with a smile :-)

> (Also, lots of candy is obviously at stake here.)
>
>> > I'm not going to tell you which of several possible exploit I used
>> > just yet, as the point of this exercise is to demonstrate that just
>> > because you can't imagine an attack doesn't mean it doesn't exist.
>> 
>> Well for educational purpose, why don't you divulge your expert
>> knowledge? :) I, for one, would like to know.
>
> Well, it's not really cool for project leaders to post their own 0-day
> 'sploits with vulnerable clients still out there. So not yet.

It would be very interesting to see an attack that exploits a symlink
pointing inside the tree.

> And I really want people to think -creatively- about all the ways that
> something could go wrong here before proposing changes. If I just tell
> you what I did, then I'll instead almost certainly get a patch that
> focuses on _my specific exploit_.

No, you wouldn't. Now you're assuming we're dumb again. I'm sure we all
know that fixing one security problem does not prove anything about the
absense of other problems.

-- 
Martin Geisler

Mercurial links: http://mercurial.ch/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://selenic.com/pipermail/mercurial-devel/attachments/20110519/8d2001a8/attachment.pgp>


More information about the Mercurial-devel mailing list