Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: bash path normalization bug
From: Seth Arnold <seth.arnold () canonical com>
Date: Mon, 19 Nov 2012 11:00:43 -0800

On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote:
$ bash --version<br />GNU bash, version 4.2.8(1)-release
(x86_64-pc-linux-gnu)<br /><br />$ bash --version<br />GNU bash,
version 4.0.28(1)-release (i386-pc-solaris2.8)<br /><br />Bash fails
to normalize path starting starting with "//" and will consider "/"
and "//" to be different paths:<br /><br />$ cd /tmp &amp;&amp; pwd<br
/>/tmp<br />$ cd //tmp &amp;&amp; pwd<br />//tmp<br /><br />Scripts
which do path normalization by:<code><span class="pln"><br
/>normalDir</span><span class="pun">=</span><span class="str">`cd
"${dirToNormalize}";pwd`</span></code><br /><br />and check it against
blacklists are vulnerable.

You've mistaken a feature for a bug.

The following quote is from IEEE Std 1003.1, 2004 Edition:

    A pathname consisting of a single slash shall resolve to the root
    directory of the process. A null pathname shall not be successfully
    resolved. A pathname that begins with two successive slashes may be
    interpreted in an implementation-defined manner, although more than
    two leading slashes shall be treated as a single slash.


Bash has chosen to maintain the // version of a path in case the rest
of the system chooses to do something clever with it (such as automount
network shares).

Checking blacklists are more of a usability feature than a security
feature; if it were a security feature, it'd be a whitelist.

Attachment: signature.asc
Description: Digital signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]