#853 closed defect (fixed)

Possible path traversal in otr_save

Reported by: David :) Owned by: wilmer
Priority: normal Milestone:
Component: OTR Version: 3.0.3
Keywords: Cc:
IRC client+version: Client-independent Operating System: Public server
OS version/distro:


I do not know if this is reachable and or possible, but the otr_save function saves a user's otr key through the following code:

g_snprintf(s, 511, "%s%s.otr_fprints", global.conf->configdir, irc->user->nick); e = otrl_privkey_write_fingerprints(irc->otr->us, s);

Now, the otrl_privkey_write_fingerprints[0] function does the following: ...

storef = fopen(filename, "w");


so if a user's nick can possibly include ../\ characters it maybe possible to over-write another file on disk.


Attachments (0)

Change History (4)

comment:1 Changed at 2011-11-09T15:49:55Z by wilmer

Component: BitlBeeOTR
Owner: set to pesco

Whoops.. pesco, I thought you were into security stuff? :-P

comment:2 Changed at 2011-11-11T07:10:22Z by David :)

From what I can tell the code in nick.c prevents this from occurring. However, I could be wrong.

comment:3 Changed at 2011-11-26T00:47:15Z by pesco

Owner: changed from pesco to wilmer
Status: newassigned

in any case, thanks for pointing this out. please pull (revision 832) from the usual place.

comment:4 Changed at 2011-11-28T08:35:12Z by wilmer

Resolution: fixed
Status: assignedclosed


Modify Ticket

as closed The owner will remain wilmer.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.