From: Simon McVittie Date: Sat, 18 Feb 2012 20:33:51 +0000 Subject: CVE-2006-2082 - do not allow download of arbitrary files from a server Any file readable by the server user could be read, via ../ sequences. Original patches by Thilo Schulz, ioquake3 r777 (which fixed the vulnerability) and r781 (which fixed a regression in r777 where uninitialized variables led to some allowed downloads being rejected too). Origin: backport Bug-Debian: http://bugs.debian.org/660831 Bug-CVE: http://security-tracker.debian.org/tracker/CVE-2006-2082 --- src/server/sv_client.c | 51 ++++++++++++++++++++++++++++++++++++++++------- 1 files changed, 43 insertions(+), 8 deletions(-) diff --git a/src/server/sv_client.c b/src/server/sv_client.c index 0272fab..53f5998 100644 --- src/server/sv_client.c +++ src/server/sv_client.c @@ -618,24 +618,57 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg ) int curindex; int rate; int blockspersnap; - int idPack, missionPack; + int idPack = 0, missionPack = 0, unreferenced = 1; char errorMessage[1024]; + char pakbuf[MAX_QPATH], *pakptr; + int numRefPaks; if (!*cl->downloadName) return; // Nothing being downloaded if (!cl->download) { - // We open the file here + // Chop off filename extension. + Com_sprintf(pakbuf, sizeof(pakbuf), "%s", cl->downloadName); + pakptr = Q_strrchr(pakbuf, '.'); - Com_Printf( "clientDownload: %d : begining \"%s\"\n", cl - svs.clients, cl->downloadName ); + if (pakptr) + { + *pakptr = '\0'; - missionPack = FS_idPak(cl->downloadName, "missionpack"); - idPack = missionPack || FS_idPak(cl->downloadName, "baseq3"); + // Check for pk3 filename extension + if(!Q_stricmp(pakptr + 1, "pk3")) + { + const char *referencedPaks = FS_ReferencedPakNames(); + + // Check whether the file appears in the list of referenced + // paks to prevent downloading of arbitrary files + Cmd_TokenizeStringIgnoreQuotes(referencedPaks); + numRefPaks = Cmd_Argc(); + + for(curindex = 0; curindex < numRefPaks; curindex++) + { + if(!FS_FilenameCompare(Cmd_Argv(curindex), pakbuf)) + { + unreferenced = 0; + // now that we know the file is referenced, check whether it's legal to download it. + missionPack = FS_idPak(pakbuf, "missionpack"); + idPack = missionPack || FS_idPak(pakbuf, BASEGAME); + break; + } + } + } + } - if ( !sv_allowDownload->integer || idPack || + // We open the file here + if ( !sv_allowDownload->integer || idPack || unreferenced || ( cl->downloadSize = FS_SV_FOpenFileRead( cl->downloadName, &cl->download ) ) <= 0 ) { // cannot auto-download file - if (idPack) { + if(unreferenced) + { + Com_Printf("clientDownload: %d : \"%s\" is not referenced and cannot be downloaded.\n", cl - svs.clients, cl->downloadName); + Com_sprintf(errorMessage, sizeof(errorMessage), "File \"%s\" is not referenced and cannot be downloaded.", cl->downloadName); + } + else if (idPack) { Com_Printf("clientDownload: %d : \"%s\" cannot download id pk3 files\n", cl - svs.clients, cl->downloadName); if (missionPack) { Com_sprintf(errorMessage, sizeof(errorMessage), "Cannot autodownload Team Arena file \"%s\"\n" @@ -670,7 +703,9 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg ) *cl->downloadName = 0; return; } - + + Com_Printf( "clientDownload: %d : beginning \"%s\"\n", cl - svs.clients, cl->downloadName ); + // Init cl->downloadCurrentBlock = cl->downloadClientBlock = cl->downloadXmitBlock = 0; cl->downloadCount = 0;