Page MenuHomeFreeBSD
Differential D51580

comsat: Don't read arbitrary files
ClosedPublic
Actions

Authored by des on Jul 27 2025, 7:48 PM.
Tags
None
Referenced Files
F151663682: D51580.id159331.diff
Thu, Apr 9, 8:56 PM
F151637003: D51580.id159331.diff
Thu, Apr 9, 4:38 PM
Unknown Object (File)
Mon, Apr 6, 7:41 AM
Unknown Object (File)
Sun, Mar 29, 1:00 AM
Unknown Object (File)
Tue, Mar 24, 7:15 PM
Unknown Object (File)
Mar 5 2026, 3:30 PM
Unknown Object (File)
Feb 24 2026, 4:42 PM
Unknown Object (File)
Feb 24 2026, 8:33 AM
View All 59 Files
Subscribers
imp

Details

Reviewers
emaste
Commits
rG6ca3734e928c: comsat: Don't read arbitrary files
rG4406fe5f2203: comsat: Don't read arbitrary files
rG4a4338d94401: comsat: Don't read arbitrary files
Summary

When processing a notification, instead of accepting any file name
that doesn't begin with a slash, accept only file names that don't
contain any slashes at all. This makes it possible to notify a
user about a mailbox that doesn't bear their name, as long as they
are permitted to read it, but prevents comsat from reading files
outside the mail spool.

PR: 270404
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 65781
Build 62664: arc lint + arc unit

Event Timeline

des created this revision.Jul 27 2025, 7:48 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 27 2025, 7:48 PM
des requested review of this revision.Jul 27 2025, 7:48 PM
Harbormaster completed remote builds in B65781: Diff 159250.Jul 27 2025, 7:48 PM
des added a comment.Jul 27 2025, 7:49 PM

Sorry, just realized this is incomplete. Will update in a bit.

des updated this revision to Diff 159252.Jul 27 2025, 8:02 PM

actual fix

Harbormaster completed remote builds in B65782: Diff 159252.Jul 27 2025, 8:02 PM
emaste accepted this revision.Jul 28 2025, 2:58 PM

Maybe we want to just discard a notification with a / in it rather than falling back to name (but I'm fine either way)

libexec/comsat/comsat.c
192

Probably worth calling out this cleanup specifically in the commit message

This revision is now accepted and ready to land.Jul 28 2025, 2:58 PM
Closed by commit rG4a4338d94401: comsat: Don't read arbitrary files (authored by des). · Explain WhyJul 28 2025, 3:30 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rG4a4338d94401: comsat: Don't read arbitrary files.
des added a commit: rG4406fe5f2203: comsat: Don't read arbitrary files.Aug 5 2025, 11:52 AM
des added a commit: rG6ca3734e928c: comsat: Don't read arbitrary files.

Revision Contents
Changeset List

PathSize
libexec/
comsat/
8 lines

Diff 159250

View Options

libexec/comsat/comsat.c

Loading...