On Thu, Dec 12, 2024 at 02:56:59AM +1100, Aleksa Sarai wrote: > On 2024-12-11, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > > Path traversal attacks remain a common security vulnerability > > (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=%22path+traversal%22) > > and many are due to either failing to filter out ".." when validating a > > path or incorrectly collapsing other sequences of "."s into ".." . > > Evidence suggests that improving education isn't fixing the problem. > > I was thinking about adding a RESOLVE_NO_DOTDOT which would do something > like this but on a per-openat2-call basis. That's what I was thinking a while ago. I discussed that with Linus in connection to a change by Jann for looking up module paths. https://lore.kernel.org/r/CAADWXX_zpqzYdCpmQGF3JgsN4+wk3AsuQLCKREkDC1ScxSfDjQ@xxxxxxxxxxxxxx > > The main problem with making this global for the entire process is that > most tools would not be able to practically enable this for themselves > as it would require auditing the entire execution environment as well as > all dependencies that might dare to use ".." in a path anywhere in their > codebase. I agree.
