Traversing symlinks
Dominik Psenner
dpsenner at gmail.com
Fri May 20 03:39:56 CDT 2011
> -----Original Message-----
> From: mercurial-devel-bounces at selenic.com [mailto:mercurial-devel-
> bounces at selenic.com] On Behalf Of Matt Mackall
> Sent: Thursday, May 19, 2011 7:43 PM
> To: Martin Geisler
> Cc: Mercurial Developers
> Subject: Re: Traversing symlinks
>
> On Thu, 2011-05-19 at 14:17 +0200, Martin Geisler wrote:
> > Matt Mackall <mpm at selenic.com> writes:
> >
> > > On Mon, 2011-05-16 at 19:57 +0200, Martin Geisler wrote:
> > >> Hi guys,
> > >>
> > >> Way back in 2007, this changeset was added:
> > >>
> > >> http://selenic.com/hg/rev/d316124ebbea
> > >>
> > >> It makes Mercurial abort when it encounters a symlink on the way to a
> > >> file -- even when the symlink points inside the repository:
> > >>
> > >> $ ln -s contrib extra
> > >> $ hg status extra/mq.el
> > >> abort: path 'extra/mq.el' traverses symbolic link 'extra'
> > >>
> > >> This seems a tad too restrictive to me,
> > >
> > > Ok, do tell, what have you lost by not being able to ask for the
> > > status of a path you can't commit?
> >
> > Oh, you must have misunderstood me -- after the change you would be able
> > to do
> >
> > $ hg commit extra/mq.el
> >
> > just fine.
>
> Congratulations, you've just introduced a security hole that allows
> remote attackers to 0wn you on clone.
>
> Just for kicks, I tried my hand at making an evil repo. Here's what
> happens when we weaken the check on line 119 of scmutil.py as you've
> proposed and clone my nasty little repo:
>
> $ hg clone http://localhost:8000/ a2
> requesting all changes
> adding changesets
> adding manifests
> adding file changes
> added 1 changesets with 2 changes to 2 files
> updating to branch default
> *** y00 haz bin 0wnz0red ***
> 2 files updated, 0 files merged, 0 files removed, 0 files unresolved
>
> For bonus points, you've also broken checkouts on Windows.
>
> You may commence wearing a brown paper bag on your head... now.
>
> I'm not going to tell you which of several possible exploit I used just
> yet, as the point of this exercise is to demonstrate that just because
> you can't imagine an attack doesn't mean it doesn't exist.
Indeed, you probably got both of us. :-) I could not imagine that a symlink
could be abused to change the behaviour of a _remote_ host. Also, I don't
understand yet how. I should probably hide in a nice dark corner until I
grasp it, but it does not stop to smell fishy. Out of curiosity: can you
reproduce the hack by replacing the symlink with the actual file that the
link points to?
>
> --
> Mathematics is the supreme nostalgia of our time.
>
>
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel
More information about the Mercurial-devel
mailing list