Re: Should mounting a font be able to escape a font path directory?

groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should mounting a font be able to escape a font path directory?

From:	G. Branden Robinson
Subject:	Re: Should mounting a font be able to escape a font path directory?
Date:	Sun, 7 Nov 2021 20:05:59 +1100
User-agent:	NeoMutt/20180716

Hi, Ingo!

At 2021-11-05T15:06:30+0100, Ingo Schwarze wrote:
> > Should our font-opening logic refuse to traverse directories?
> [...]
> > 1.  Why not?  groff is an unprivileged process.
> 
> That is incorrect.  I'm sure you have seen sysadmins type "man"
> in a root shell, too.

I was having trouble thinking of reasons to _keep_ the existing
behavior, so I confess I grasped a little bit for this one.  It came
readily to mind because I've so often _heard_ it.

Some of my "con-" arguments were overloaded, too, I think--an arbitrary
amount of font description file data can be read before a bad `name`
directive is reached, so even if we were allowed to abandon processing
it at that point--and we're not--comments could have easily loaded the
line buffer with an attempt at shellcode.

> Needless to say, that does not necessarily cause havoc.  You usually
> need many favourable factors to combine their effects if you hope for
> a full-blown catastrophe.  But groff traversing directories and
> reading files it shouldn't can be one among these factors.
> 
> You are certainly aware that mandoc is more paranoid than groff in
> such respects - still, as one data point: mandoc does not even accept
> absolute paths or paths containing "/.." or "../" in .so requests and
> similar places.  Even though in such places, such features are
> arguably more useful than when it comes to font description files.

Yes--if all you're rendering is man pages, most or all traditional uses
of the `so` request (in a _document_) are inappropriate.  A man page is
not supposed to be a complex document with respect to file storage.

[...]
> I think being cautions with what you accept is a virtue.
> 
> Before aupporting a feature that can obviously serve as a building
> block for vulnerabilities, it would make sense to me to ask for
> a rigourous explanation why the feature is absolutely needed and
> why the intended effect cannot be achieved in a safer way.

Thank you for your perspective.

I've committed the change, with a regression test.

I have not yet added a diagnostic message to the implementation of the
`fp` request; directory traversal attempts are, at present, _silently_
rejected.  This is because the meanings of the terms "internal name" and
"external name" are, in my opinion, underspecified, and we have a
humdinger of a terminology clash.

Quick quiz for anyone reading:

* In groff, do the terms "internal name" and "internalname" refer to the
  same thing?

If you think you know, go to Savannah #61423[1] and see!

Regards,
Branden

[1] https://savannah.gnu.org/bugs/index.php?61423

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Should mounting a font be able to escape a font path directory?, G. Branden Robinson, 2021/11/04
- Re: Should mounting a font be able to escape a font path directory?, Ingo Schwarze, 2021/11/05
  - Re: Should mounting a font be able to escape a font path directory?, G. Branden Robinson <=

Prev by Date: Re: [groff] 05/14: tbl(1): Say decimal "separator", not "point".
Next by Date: Re: Use `strsave()`, not `strdup()`.
Previous by thread: Re: Should mounting a font be able to escape a font path directory?
Next by thread: Re: Use `strsave()`, not `strdup()`.
Index(es):
- Date
- Thread