diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2022-07-25 09:45:49 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2022-07-25 09:45:49 -0700 |
| commit | c07c90c2283593f2dd97d0efeafacf4122bfda5e (patch) | |
| tree | 2459a4f97b5629d7d768344324538ceb856eb036 | |
| parent | d58903d185551d81edb7f65cf83ffa70db7dc12f (diff) | |
| download | safepath-c07c90c2283593f2dd97d0efeafacf4122bfda5e.tar.gz safepath-c07c90c2283593f2dd97d0efeafacf4122bfda5e.tar.bz2 safepath-c07c90c2283593f2dd97d0efeafacf4122bfda5e.zip | |
README: add Known Caveats section.
* README: There is an issue with the trust in the current
working direcory when relative paths are used.
| -rw-r--r-- | README.md | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -55,6 +55,21 @@ can be manipulated by a different user. Every level of symlink resolution must be performed by substitution, and a check of all the new components that are thus inserted into the path. +## Known caveats + +`safepath_check` accepts both relative and absolute paths. Checking +a relative path begins with the `"."` directory, whereupon it is implicitly +trusted that the process had safely changed to this directory somehow. +However, that may not be so. The process may have traversed an untrusted +directory or symlink when it performed the `chdir` call to change to the +current directory. One might think that calling `getcwd` and validating the +resulting absolute path with `safepath_check` is enough, but that may not be +so: a malicious link could misdirect into a directory which has a safe absolute +path. The user's application could thereby be fooled into accessing or +modifying data, which the user owns, but which is not the intended target +of the access. If relative paths are used, it's recommended to first change to +desired directory using an absolute path which is checked for safety. + ## License `safepath` is offered under the two-clause BSD license. See the copyright |