[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] security risk of unexpected download filenames
|
From: |
Giuseppe Scrivano |
|
Subject: |
Re: [Bug-wget] security risk of unexpected download filenames |
|
Date: |
Wed, 28 Jul 2010 21:40:10 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) |
I have pushed a patch to fix it with the commit 2409, it introduces a
new option --trust-server-names.
Cheers,
Giuseppe
Solar Designer <address@hidden> writes:
> Giuseppe, Micah, all -
>
> As I hope you're aware, oCERT has published an advisory on a security
> issue with lftp, wget, and libwww-perl. lftp and libwww-perl have fixed
> the issue. wget didn't.
>
> http://www.ocert.org/advisories/ocert-2010-001.html
>
> Here's a demonstration of an attack on what I think is a typical wget
> cron job:
>
> http://www.openwall.com/lists/oss-security/2010/05/18/13
>
> The attack provides a .wgetrc, which enables a second invocation of the
> cron job to overwrite a file such as .bash_profile. This is just one
> example. Please do not "fix" this by treating ".wgetrc" specially.
>
> Here's an unofficial patch for the issue:
>
> http://www.openwall.com/lists/oss-security/2010/05/17/2
>
> Now that we have a proof-of-concept real-world attack scenario and we
> readily have a patch, would you possibly consider fixing this upstream?
>
> Thanks,
>
> Alexander
=== modified file 'NEWS'
--- NEWS 2010-07-11 13:47:18 +0000
+++ NEWS 2010-07-28 19:22:13 +0000
@@ -33,6 +33,9 @@
** GNU TLS backend works again.
** Now --timestamping and --continue works well together.
+
+** By default, on server redirects, use the original URL to get the
+ local file name. Close CVE-2010-2252.
�
* Changes in Wget 1.12
=== modified file 'doc/wget.texi'
--- doc/wget.texi 2010-05-27 10:45:15 +0000
+++ doc/wget.texi 2010-07-28 19:13:05 +0000
@@ -1498,6 +1498,13 @@
@code{Content-Disposition} headers to describe what the name of a
downloaded file should be.
address@hidden Trust server names
address@hidden --trust-server-names
+
+If this is set to on, on a redirect the last component of the
+redirection URL will be used as the local file name. By default it is
+used the last component in the original URL.
+
@cindex authentication
@item --auth-no-challenge
@@ -2810,6 +2817,10 @@
Turn on recognition of the (non-standard) @samp{Content-Disposition}
HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}.
address@hidden trust_server_names = on/off
+If set to on, use the last component of a redirection URL for the local
+file name.
+
@item continue = on/off
If set to on, force continuation of preexistent partially retrieved
files. See @samp{-c} before setting it.
=== modified file 'src/ChangeLog'
--- src/ChangeLog 2010-07-20 17:42:13 +0000
+++ src/ChangeLog 2010-07-28 18:44:11 +0000
@@ -1,3 +1,18 @@
+2010-07-28 Giuseppe Scrivano <address@hidden>
+
+ * http.h (http_loop): Add new argument `original_url'
+ * http.c (http_loop): Add new argument `original_url'. Use
+ `original_url' to get a filename if `trustservernames' is false.
+
+ * init.c (commands): Add "trustservernames".
+
+ * options.h (library): Add variable `trustservernames'.
+
+ * main.c (option_data): Add trust-server-names.
+ (print_help): Describe --trust-server-names.
+
+ * retr.c (retrieve_url): Pass new argument to `http_loop'.
+
2010-07-20 Alan Jenkins <address@hidden> (tiny change)
* http.c (gethttp): Check content-length was set before trying to
=== modified file 'src/http.c'
--- src/http.c 2010-07-20 17:42:13 +0000
+++ src/http.c 2010-07-28 18:35:21 +0000
@@ -2593,8 +2593,9 @@
/* The genuine HTTP loop! This is the part where the retrieval is
retried, and retried, and retried, and... */
uerr_t
-http_loop (struct url *u, char **newloc, char **local_file, const char
*referer,
- int *dt, struct url *proxy, struct iri *iri)
+http_loop (struct url *u, struct url *original_url, char **newloc,
+ char **local_file, const char *referer, int *dt, struct url *proxy,
+ struct iri *iri)
{
int count;
bool got_head = false; /* used for time-stamping and filename
detection */
@@ -2641,7 +2642,8 @@
}
else if (!opt.content_disposition)
{
- hstat.local_file = url_file_name (u);
+ hstat.local_file =
+ url_file_name (opt.trustservernames ? u : original_url);
got_name = true;
}
@@ -2679,7 +2681,7 @@
/* Send preliminary HEAD request if -N is given and we have an existing
* destination file. */
- file_name = url_file_name (u);
+ file_name = url_file_name (opt.trustservernames ? u : original_url);
if (opt.timestamping && (file_exists_p (file_name)
|| opt.content_disposition))
send_head_first = true;
@@ -3039,9 +3041,9 @@
/* Remember that we downloaded the file for later ".orig" code. */
if (*dt & ADDED_HTML_EXTENSION)
- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED,
hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED,
hstat.local_file);
else
- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
ret = RETROK;
goto exit;
@@ -3072,9 +3074,9 @@
/* Remember that we downloaded the file for later ".orig" code.
*/
if (*dt & ADDED_HTML_EXTENSION)
- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED,
hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED,
hstat.local_file);
else
- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
ret = RETROK;
goto exit;
=== modified file 'src/http.h'
--- src/http.h 2010-05-08 19:56:15 +0000
+++ src/http.h 2010-07-28 18:11:35 +0000
@@ -33,8 +33,8 @@
struct url;
-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
- struct url *, struct iri *);
+uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
+ int *, struct url *, struct iri *);
void save_cookies (void);
void http_cleanup (void);
time_t http_atotm (const char *);
=== modified file 'src/init.c'
--- src/init.c 2010-05-08 19:56:15 +0000
+++ src/init.c 2010-07-28 18:25:22 +0000
@@ -252,6 +252,7 @@
{ "timeout", NULL, cmd_spec_timeout },
{ "timestamping", &opt.timestamping, cmd_boolean },
{ "tries", &opt.ntry, cmd_number_inf },
+ { "trustservernames", &opt.trustservernames, cmd_boolean },
{ "useproxy", &opt.use_proxy, cmd_boolean },
{ "user", &opt.user, cmd_string },
{ "useragent", NULL, cmd_spec_useragent },
=== modified file 'src/main.c'
--- src/main.c 2010-06-20 10:10:35 +0000
+++ src/main.c 2010-07-28 19:02:25 +0000
@@ -266,6 +266,7 @@
{ "timeout", 'T', OPT_VALUE, "timeout", -1 },
{ "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
{ "tries", 't', OPT_VALUE, "tries", -1 },
+ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
{ "use-server-timestamps", 0, OPT_BOOLEAN, "useservertimestamps", -1 },
{ "user", 0, OPT_VALUE, "user", -1 },
{ "user-agent", 'U', OPT_VALUE, "useragent", -1 },
@@ -680,6 +681,8 @@
N_("\
-I, --include-directories=LIST list of allowed directories.\n"),
N_("\
+ --trust-server-names use the name specified by the redirection url last
component.\n"),
+ N_("\
-X, --exclude-directories=LIST list of excluded directories.\n"),
N_("\
-np, --no-parent don't ascend to the parent directory.\n"),
=== modified file 'src/options.h'
--- src/options.h 2010-05-08 19:56:15 +0000
+++ src/options.h 2010-07-28 18:24:09 +0000
@@ -242,6 +242,7 @@
char *encoding_remote;
char *locale;
+ bool trustservernames;
#ifdef __VMS
int ftp_stmlf; /* Force Stream_LF format for binary FTP. */
#endif /* def __VMS */
=== modified file 'src/retr.c'
--- src/retr.c 2010-05-08 19:56:15 +0000
+++ src/retr.c 2010-07-28 18:43:27 +0000
@@ -731,7 +731,8 @@
#endif
|| (proxy_url && proxy_url->scheme == SCHEME_HTTP))
{
- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url,
iri);
+ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
+ proxy_url, iri);
}
else if (u->scheme == SCHEME_FTP)
{