From 3ce764351c0cdf01637eb0f19ec9846e91ca3f35 Mon Sep 17 00:00:00 2001
From: Amar Tumballi <amar@gluster.com>
Date: Wed, 15 Jul 2009 01:38:33 +0000
Subject: add strict validatation of GF_OPTION_TYPE_PATH option type.

Make sure that users don't provide "../" in the path value in volume file,
which should be considered security issue.

Signed-off-by: Anand V. Avati <avati@dev.gluster.com>

BUG: 141 (GF_OPTION_TYPE_PATH should check for presence of ".." in path)
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=141
---
 libglusterfs/src/xlator.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'libglusterfs')

diff --git a/libglusterfs/src/xlator.c b/libglusterfs/src/xlator.c
index 6f5da84b4..351e24344 100644
--- a/libglusterfs/src/xlator.c
+++ b/libglusterfs/src/xlator.c
@@ -247,7 +247,15 @@ _volume_option_value_validate (xlator_t *xl,
 	switch (opt->type) {
 	case GF_OPTION_TYPE_PATH:
 	{
-  			/* Make sure the given path is valid */
+                if (strstr (pair->value->data, "../")) {
+                        gf_log (xl->name, GF_LOG_ERROR,
+                                "invalid path given '%s'",
+                                pair->value->data);
+                        ret = -1;
+                        goto out;
+                }
+
+                /* Make sure the given path is valid */
 		if (pair->value->data[0] != '/') {
 			gf_log (xl->name, GF_LOG_WARNING,
 				"option %s %s: '%s' is not an "
-- 
cgit