Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

io/ioutil: reject path separators in TempDir, TempFile pattern #33920

Closed
snyff opened this issue Aug 28, 2019 · 11 comments
Closed

io/ioutil: reject path separators in TempDir, TempFile pattern #33920

snyff opened this issue Aug 28, 2019 · 11 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Proposal Proposal-Accepted Security
Projects
Proposals (old)
Milestone
Go1.15

Comments

@snyff
Copy link

snyff commented Aug 28, 2019

In

go/src/io/ioutil/tempfile.go

Line 64 in f882d89

name := filepath.Join(dir, prefix+nextRandom()+suffix)
The prefix and suffix extracted from the variable pattern are used in filepath.Join. Since there is no filtering in place, this could lead to directory traversal vulnerabilities.

For example, the following value for pattern can create an unexpected behaviour:

ioutil.TempFile("/tmp", path.Base("../../somewhere/else.*.suffix"))

A less-surprising behaviour would be to call path.Base:

name := filepath.Join(dir, path.Base(prefix+nextRandom()+suffix))

@gopherbot gopherbot added this to the Proposal milestone Aug 28, 2019
@ianlancetaylor ianlancetaylor changed the title proposal: ioutil.TempFile: pattern should prevent directory traversal proposal: io/ioutil: TempFile: pattern should prevent directory traversal Sep 3, 2019
@ianlancetaylor
Copy link
Contributor

Are there any examples of real Go code that does not pass a string constant as the second argument to ioutil.TempFile?

@snyff
Copy link
Author

snyff commented Sep 3, 2019

I did a quick Github search for it and couldn't find it in the first few pages. But that's only publicly available code

Regardless, the current behaviour is unexpected and this small change can avoid people shooting themself in the foot.

@griesemer griesemer mentioned this issue Sep 3, 2019
Open
@ianlancetaylor
Copy link
Contributor

Well, it's a tradeoff. If there are programs intentionally using directory traversal, we break them. If there are programs accidentally using it, we fix them. If we don't know of any actual cases that would be fixed, the conservative approach is to leave well enough alone.

@snyff
Copy link
Author

snyff commented Sep 3, 2019
edited

I couldn't find any publicly available code using the directory traversal on purpose. My guess is that people would put the traversal in the first argument if they need to...

@FiloSottile
Copy link
Contributor

If we can't find examples of it being used either intentionally or unintentionally, in doubt I'd make it behave safely, which presumably is not going to break much, but might prevent security issues in the future.

Also, pattern is not even documented to accept path separators, and they definitely make more send in dir.

@snyff
Copy link
Author

snyff commented Nov 19, 2019

@ianlancetaylor what do you think?

@ianlancetaylor
Copy link
Contributor

The comment by @FiloSottile sounds reasonable to me.

@rsc
Copy link
Contributor

rsc commented Nov 27, 2019

name := filepath.Join(dir, path.Base(prefix+nextRandom()+suffix))

Please don't do this. What if suffix has a slash in it? Then the randomness is removed entirely.
If we're going to do anything at all, we should simply make TempFile return an error when pattern contains a file system path separator.

@rsc rsc added this to Incoming in Proposals (old) Nov 27, 2019
@rsc
Copy link
Contributor

rsc commented Nov 27, 2019

We shouldn't make this problematic case (which we think does not happen ever in real programs) silently succeed with an unexpected meaning. But assuming we simply return an error instead, this seems like a likely accept based on the discussion. Everyone agrees with doing something and no one thinks it matters for real programs.

Leaving open for a week for final comments.

@rsc rsc changed the title proposal: io/ioutil: TempFile: pattern should prevent directory traversal proposal: io/ioutil: reject path separators in TempDir, TempFile pattern Nov 27, 2019
@rsc rsc moved this from Incoming to Likely Accept in Proposals (old) Dec 4, 2019
@rsc rsc changed the title proposal: io/ioutil: reject path separators in TempDir, TempFile pattern io/ioutil: reject path separators in TempDir, TempFile pattern Dec 4, 2019
@rsc
Copy link
Contributor

rsc commented Dec 4, 2019

No change in consensus, so accepting.

@rsc rsc modified the milestones: Proposal, Go1.15 Dec 4, 2019
@ianlancetaylor ianlancetaylor added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 4, 2019
@rsc rsc moved this from Likely Accept to Accepted in Proposals (old) Dec 11, 2019
@gopherbot
Copy link

Change https://golang.org/cl/212597 mentions this issue: ioutil: reject path separators in TempDir, TempFile pattern

@golang golang locked and limited conversation to collaborators Feb 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Proposal Proposal-Accepted Security
Projects
No open projects
Proposals (old)
Accepted
Milestone
Go1.15
Development

No branches or pull requests
5 participants
@snyff @rsc @FiloSottile @ianlancetaylor @gopherbot