From c07c90c2283593f2dd97d0efeafacf4122bfda5e Mon Sep 17 00:00:00 2001 From: Kaz Kylheku Date: Mon, 25 Jul 2022 09:45:49 -0700 Subject: README: add Known Caveats section. * README: There is an issue with the trust in the current working direcory when relative paths are used. --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index e676d9f..54235a0 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,21 @@ can be manipulated by a different user. Every level of symlink resolution must be performed by substitution, and a check of all the new components that are thus inserted into the path. +## Known caveats + +`safepath_check` accepts both relative and absolute paths. Checking +a relative path begins with the `"."` directory, whereupon it is implicitly +trusted that the process had safely changed to this directory somehow. +However, that may not be so. The process may have traversed an untrusted +directory or symlink when it performed the `chdir` call to change to the +current directory. One might think that calling `getcwd` and validating the +resulting absolute path with `safepath_check` is enough, but that may not be +so: a malicious link could misdirect into a directory which has a safe absolute +path. The user's application could thereby be fooled into accessing or +modifying data, which the user owns, but which is not the intended target +of the access. If relative paths are used, it's recommended to first change to +desired directory using an absolute path which is checked for safety. + ## License `safepath` is offered under the two-clause BSD license. See the copyright -- cgit v1.2.3