[dev.icinga.com #9705] Add real path sanity checks to provided file paths

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/9705

Created by mfriedrich on 2015-07-22 13:26:12 +00:00

Assignee: mfriedrich
Status: Resolved (closed on 2015-07-23 15:59:50 +00:00)
Target Version: 2.4.0
Last Update: 2015-07-24 18:26:39 +00:00 (in Redmine)

Backport?: No
Include in Changelog: 0

---

"../../../conf.d/bla.conf" must not be able to escape the local config module stage jail. In a similar fashion, "conf.d/../../../bla.conf" must be detected and should generate an error.

Changesets

2015-07-23 15:57:24 +00:00 by (unknown) fca7a33

Implement config file management for the API

refs #9083

fixes #9102
fixes #9103
fixes #9104

fixes #9705

---

Parent Task: #9104

[icinga-migration]

Updated by mfriedrich on 2015-07-23 15:21:06 +00:00

$ openssl s_client -connect localhost:5665

---
POST /v1/config/modules HTTP/1.1
Authorization: Basic bWljaGk6aWNpbmdh

{ "module": "../bla" }

HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Server: Icinga/v2.3.0-383-g9411709

[icinga-migration]

Updated by mfriedrich on 2015-07-23 15:21:19 +00:00

• Status changed from New to Assigned
• Assigned to set to mfriedrich
• Estimated Hours set to 2

[icinga-migration]

Updated by Anonymous on 2015-07-23 15:59:50 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset fca7a33.

[icinga-migration]

Updated by mfriedrich on 2015-07-24 18:26:40 +00:00

• Backport? changed from TBD to No
• Include in Changelog changed from 1 to 0