Opened at 2011-11-09T15:42:33Z
Closed at 2011-11-28T08:35:12Z
#853 closed defect (fixed)
Possible path traversal in otr_save
| Reported by: | David :) | Owned by: | wilmer |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | OTR | Version: | 3.0.3 |
| Keywords: | Cc: | ||
| IRC client+version: | Client-independent | Operating System: | Public server |
| OS version/distro: |
Description
I do not know if this is reachable and or possible, but the otr_save function saves a user's otr key through the following code:
g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, irc->user->nick); e = otrl_privkey_write_fingerprints(irc->otr->us, s);
Now, the otrl_privkey_write_fingerprints[0] function does the following: ...
storef = fopen(filename, "w");
...
so if a user's nick can possibly include ../\ characters it maybe possible to over-write another file on disk.
[0] http://www.google.com/codesearch#IKP17Us7-ak/libotr-3.0.0/src/privkey.c&ct=rc&cd=1&q=otrl_privkey_write_fingerprints
Attachments (0)
Change History (4)
comment:1 Changed at 2011-11-09T15:49:55Z by
| Component: | BitlBee → OTR |
|---|---|
| Owner: | set to pesco |
comment:2 Changed at 2011-11-11T07:10:22Z by
From what I can tell the code in nick.c prevents this from occurring. However, I could be wrong.
comment:3 Changed at 2011-11-26T00:47:15Z by
| Owner: | changed from pesco to wilmer |
|---|---|
| Status: | new → assigned |
in any case, thanks for pointing this out. please pull (revision 832) from the usual place.
Whoops.. pesco, I thought you were into security stuff? :-P