[Security vulnerability] Access to a symbolic link

author Seonah Moon <seonah1.moon@samsung.com>

Mon, 4 Mar 2019 09:05:02 +0000 (18:05 +0900)

committer Seonah Moon <seonah1.moon@samsung.com>

Tue, 5 Mar 2019 08:18:06 +0000 (17:18 +0900)
author Seonah Moon <seonah1.moon@samsung.com>
Mon, 4 Mar 2019 09:05:02 +0000 (18:05 +0900)
committer Seonah Moon <seonah1.moon@samsung.com>
Tue, 5 Mar 2019 08:18:06 +0000 (17:18 +0900)
diff --git a/agent/download-agent-file.c b/agent/download-agent-file.c

index 1000347..06b76f9 100755 (executable)
--- a/agent/download-agent-file.c
+++ b/agent/download-agent-file.c
@@ -47,6 +47,7 @@ da_ret_t __saved_file_open(file_info_t *file_info)
  {
         da_ret_t ret = DA_RESULT_OK;
         char *actual_file_path = DA_NULL;
+       char *resolved_path = DA_NULL;
         void *fd = DA_NULL;
  
         DA_LOGV("");
@@ -55,6 +56,17 @@ da_ret_t __saved_file_open(file_info_t *file_info)
         if (!actual_file_path)
                 return DA_ERR_INVALID_ARGUMENT;
  
+       resolved_path = realpath(actual_file_path, NULL);
+       if (resolved_path) {
+               /* Check if actual_file_path is symbolic file or not */
+               if (strcmp(resolved_path, actual_file_path) != 0) {
+                       free(resolved_path);
+                       return DA_ERR_INVALID_ARGUMENT;
+               }
+       } else if (errno != ENOENT) {
+               return DA_ERR_INVALID_ARGUMENT;
+       }
+
         fd = fopen(actual_file_path, "a+"); // for resume
         if (fd == DA_NULL) {
                 DA_LOGE("File open failed");
@@ -69,7 +81,7 @@ da_ret_t __saved_file_open(file_info_t *file_info)
  ERR:
         if (DA_RESULT_OK != ret)
                 file_info->file_handle = DA_NULL;
-
+       free(resolved_path);
         return ret;
  }
author	Seonah Moon <seonah1.moon@samsung.com>
	Mon, 4 Mar 2019 09:05:02 +0000 (18:05 +0900)
committer	Seonah Moon <seonah1.moon@samsung.com>
	Tue, 5 Mar 2019 08:18:06 +0000 (17:18 +0900)