[Pkg-haskell-maintainers] Bug#599676: secureAbsNormPath isn't secure

Joey Hess joeyh at debian.org
Sun Oct 10 01:45:56 UTC 2010


Package: missingh
Version: 1.1.0.3-3
Severity: normal
Tags: security

Prelude System.Path> secureAbsNormPath "/home/joey" "/home/bob/foo"
Nothing

So far so good, and based on that and secureAbsNormPath's description,
you might expect it to be usaable to limit access to files in my home
directory. That is not the case:

Prelude System.Path> secureAbsNormPath "/home/joey" "/home/joeyish/foo"
Just "/home/joeyish/foo"

So to be "secure", the first parameter should end with a slash.
But, the documentation doesn't say that. Actually, it says "in many
cases, it would correspond to the current working directory". Note
that getCurrentDirectory does not return a directory with a trailing
slash.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20101009/c98b12d6/attachment.pgp>


More information about the Pkg-haskell-maintainers mailing list