diff options
author | Ravishankar N <ravishankar@redhat.com> | 2018-11-01 21:31:41 +0530 |
---|---|---|
committer | Pranith Kumar Karampuri <pkarampu@redhat.com> | 2018-11-05 10:51:03 +0000 |
commit | bd1a8fc74ac9322384daab94bf5736cae15ecbfe (patch) | |
tree | 79bd59408d57cbe723f09992fecfa964f3220a50 /xlators/storage | |
parent | 643c9d049de970d27b2bfa806c4d47ea6eabefe6 (diff) |
index: prevent arbitrary file creation outside entry-changes folder
Problem:
A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY
and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are
consumed by index as a filename to be created/deleted according to the key.
Thus it is possible to create/delete random files even outside the gluster
volume boundary.
Fix:
Index expects the filename to be a basename, i.e. it must not contain any
pathname components like "/" or "../". Enforce this.
Fixes: CVE-2018-14654
Fixes: bz#1644760
Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
Diffstat (limited to 'xlators/storage')
0 files changed, 0 insertions, 0 deletions