Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows CVE-2022-41720 #56694

Closed
neild opened this issue Nov 10, 2022 · 7 comments
Closed

Comments

@neild
Copy link
Contributor

neild commented Nov 10, 2022

This is a PRIVATE issue for CVE-2022-41720 tracked in http://b/257275141.

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files
rooted at a given directory. These functions permitted access to Windows
device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the
current drive) can permit a maliciously crafted path to escape from the
drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was
treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp".
This now returns an error.

@neild
Copy link
Contributor Author

neild commented Nov 30, 2022

@gopherbot please open backport issues.

@gopherbot
Copy link

Backport issue(s) opened: #57005 (for 1.18), #57006 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@dmitshur dmitshur added this to the Go1.20 milestone Dec 6, 2022
@gopherbot
Copy link

Change https://go.dev/cl/455362 mentions this issue: [release-branch.go1.19] os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

@gopherbot
Copy link

Change https://go.dev/cl/455360 mentions this issue: [release-branch.go1.18] os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

gopherbot pushed a commit that referenced this issue Dec 6, 2022
… http.Dir on Windows

Do not permit access to Windows reserved device names (NUL, COM1, etc.)
via os.DirFS and http.Dir filesystems.

Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the
the root to the relative path with a path separator, making
os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is
a UNC name. Not only does this not open the intended file, but permits
reference to any file on the system rather than only files on the
current drive.

Make os.DirFS("") invalid, with all file access failing. Previously,
a root of "" was interpreted as "/", which is surprising and probably
unintentional.

Fixes CVE-2022-41720.
Fixes #56694.

Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663832
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455360
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
gopherbot pushed a commit that referenced this issue Dec 6, 2022
… http.Dir on Windows

Do not permit access to Windows reserved device names (NUL, COM1, etc.)
via os.DirFS and http.Dir filesystems.

Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the
the root to the relative path with a path separator, making
os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is
a UNC name. Not only does this not open the intended file, but permits
reference to any file on the system rather than only files on the
current drive.

Make os.DirFS("") invalid, with all file access failing. Previously,
a root of "" was interpreted as "/", which is surprising and probably
unintentional.

Fixes CVE-2022-41720
Fixes #56694

Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663834
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455362
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
@toothrot toothrot changed the title security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows CVE-2022-41720 Dec 6, 2022
@gopherbot
Copy link

Change https://go.dev/cl/455716 mentions this issue: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

@tangxi666
Copy link
Contributor

@neild hello,neild. I have a question. You mentioned
"on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system.".
In my understanding, this is the problem brought by the CL. Does that matter?

andrew-d pushed a commit to tailscale/go that referenced this issue Dec 7, 2022
… http.Dir on Windows

Do not permit access to Windows reserved device names (NUL, COM1, etc.)
via os.DirFS and http.Dir filesystems.

Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the
the root to the relative path with a path separator, making
os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is
a UNC name. Not only does this not open the intended file, but permits
reference to any file on the system rather than only files on the
current drive.

Make os.DirFS("") invalid, with all file access failing. Previously,
a root of "" was interpreted as "/", which is surprising and probably
unintentional.

Fixes CVE-2022-41720
Fixes golang#56694

Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663834
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455362
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
@yairmzr
Copy link

yairmzr commented Dec 21, 2022

@neild I would like to point out that the third issue in this CVE is also exploitable on Linux:

os.DirFS("").Open("etc/shadow")

In addition, the trigger of the second issue as described in the fix commit here is incorrect.
Windows is using \ as a double-slash so the correct trigger to open the UNC path \\foo\bar is:

os.DirFS(`\`).Open(`foo/bar`)

and not:

os.DirFS(`\`).Open(`/foo/bar`)

May you please revise the phrasing of the GitHub issue and NVD to more clearly indicate this CVE's potential impact on systems other than Windows?
As it stands, the description seems to imply that the vulnerability only affects Windows, which is inaccurate.

@golang golang locked and limited conversation to collaborators Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants