[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should mounting a font be able to escape a font path directory?

From: G. Branden Robinson
Subject: Re: Should mounting a font be able to escape a font path directory?
Date: Sun, 7 Nov 2021 20:05:59 +1100
User-agent: NeoMutt/20180716

Hi, Ingo!

At 2021-11-05T15:06:30+0100, Ingo Schwarze wrote:
> > Should our font-opening logic refuse to traverse directories?
> [...]
> > 1.  Why not?  groff is an unprivileged process.
> That is incorrect.  I'm sure you have seen sysadmins type "man"
> in a root shell, too.

I was having trouble thinking of reasons to _keep_ the existing
behavior, so I confess I grasped a little bit for this one.  It came
readily to mind because I've so often _heard_ it.

Some of my "con-" arguments were overloaded, too, I think--an arbitrary
amount of font description file data can be read before a bad `name`
directive is reached, so even if we were allowed to abandon processing
it at that point--and we're not--comments could have easily loaded the
line buffer with an attempt at shellcode.

> Needless to say, that does not necessarily cause havoc.  You usually
> need many favourable factors to combine their effects if you hope for
> a full-blown catastrophe.  But groff traversing directories and
> reading files it shouldn't can be one among these factors.
> You are certainly aware that mandoc is more paranoid than groff in
> such respects - still, as one data point: mandoc does not even accept
> absolute paths or paths containing "/.." or "../" in .so requests and
> similar places.  Even though in such places, such features are
> arguably more useful than when it comes to font description files.

Yes--if all you're rendering is man pages, most or all traditional uses
of the `so` request (in a _document_) are inappropriate.  A man page is
not supposed to be a complex document with respect to file storage.

> I think being cautions with what you accept is a virtue.
> Before aupporting a feature that can obviously serve as a building
> block for vulnerabilities, it would make sense to me to ask for
> a rigourous explanation why the feature is absolutely needed and
> why the intended effect cannot be achieved in a safer way.

Thank you for your perspective.

I've committed the change, with a regression test.

I have not yet added a diagnostic message to the implementation of the
`fp` request; directory traversal attempts are, at present, _silently_
rejected.  This is because the meanings of the terms "internal name" and
"external name" are, in my opinion, underspecified, and we have a
humdinger of a terminology clash.

Quick quiz for anyone reading:

* In groff, do the terms "internal name" and "internalname" refer to the
  same thing?

If you think you know, go to Savannah #61423[1] and see!



Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]