diff options
author | Amar Tumballi <amar@gluster.com> | 2009-07-15 01:38:33 +0000 |
---|---|---|
committer | Anand V. Avati <avati@dev.gluster.com> | 2009-07-16 00:37:33 -0700 |
commit | 3ce764351c0cdf01637eb0f19ec9846e91ca3f35 (patch) | |
tree | 0432a64253b92dd6e01f798cc34eb9255985283a | |
parent | 61d9179fd8e884e3ace5b1ffd38f89e5032dbb42 (diff) |
add strict validatation of GF_OPTION_TYPE_PATH option type.
Make sure that users don't provide "../" in the path value in volume file,
which should be considered security issue.
Signed-off-by: Anand V. Avati <avati@dev.gluster.com>
BUG: 141 (GF_OPTION_TYPE_PATH should check for presence of ".." in path)
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=141
-rw-r--r-- | libglusterfs/src/xlator.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/libglusterfs/src/xlator.c b/libglusterfs/src/xlator.c index 6f5da84b4c0..351e2434467 100644 --- a/libglusterfs/src/xlator.c +++ b/libglusterfs/src/xlator.c @@ -247,7 +247,15 @@ _volume_option_value_validate (xlator_t *xl, switch (opt->type) { case GF_OPTION_TYPE_PATH: { - /* Make sure the given path is valid */ + if (strstr (pair->value->data, "../")) { + gf_log (xl->name, GF_LOG_ERROR, + "invalid path given '%s'", + pair->value->data); + ret = -1; + goto out; + } + + /* Make sure the given path is valid */ if (pair->value->data[0] != '/') { gf_log (xl->name, GF_LOG_WARNING, "option %s %s: '%s' is not an " |