[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2506: Magic Folder: enforce that downloaded files are only written below the magic folder directory
Tahoe-LAFS
trac at tahoe-lafs.org
Thu Sep 17 07:44:21 UTC 2015
#2506: Magic Folder: enforce that downloaded files are only written below the
magic folder directory
-------------------------------------------------+-------------------------
Reporter: daira | Owner: daira
Type: defect | Status: new
Priority: major | Milestone:
Component: code-frontend-magic-folder | undecided
Keywords: otf-magic-folder-objective4 test- | Version: n/a
needed security unicode path | Launchpad Bug:
-------------------------------------------------+-------------------------
https://github.com/tahoe-lafs/tahoe-
lafs/blob/665c36e45cab3487f279ccae44f79f606613c8f2/src/allmydata/frontends/magic_folder.py#L539
Since `name` comes from another client's DMD and is an arbitrary string,
it can be an absolute path, or contain "`..`" path elements, or start with
"`~`", which would cause the file to be written somewhere that might not
be below this client's magic folder directory.
We should use `FilePath.preauthChild` to prevent this, and to provide a
clearer type distinction between relative and absolute paths.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2506>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list