Follow-up Comment #7, bug #61009 (project findutils):

>> find . -type f | xargs -F -IX -n1 cp -f X $IMGDIR_DST/X 
>> 
>> I can't find any problem with unsafe filenames. Am i wrong?

Yes:

The idiom 'find -type f | xargs -IX cp X ...' is per se unsafe:
`xargs -I` reads the input line by line - but yes, files can
have a newline in their name!

Here's a reproducer using exactly your command line (without the
hypothetical -F option, obviously) to copy /etc/passwd ... although
that's for sure not what the user wants:


$ rm -rf src dst  # cleanup.

# Create a directory with in the SRC directory with a newline in the name,
# and initialize the DST directory.
$ mkdir -pv src/file$'\n'/etc dst/etc
mkdir: created directory 'src'
mkdir: created directory 'src/file'$'\n'
mkdir: created directory 'src/file'$'\n''/etc'
mkdir: created directory 'dst'
mkdir: created directory 'dst/etc'

$ cd src

$ IMGDIR_DST=../dst

# Create a dummy 'passwd' file therein.
$ echo DUMMY > file$'\n'/etc/passwd

# Add a dummy file which will hide that cp(1) will copy the wrong file.
$ echo HACKED > file

# Run the vulnerable command.
$ find . -type f | xargs -IX -n1 cp -f X $IMGDIR_DST/X

$ grep -R HACKED $IMGDIR_DST
../dst/file:HACKED

$ grep -RF $(whoami) $IMGDIR_DST
../dst/etc/passwd:victim:x:1003:100::/home/victim:/bin/bash


The safest way to avoid this problem is to let find(1) execute the program
directly, i.e., without the 'find | xargs' idiom.
Alternatively, use 'find ... -print0 | xargs -0 ...' instead.

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61009>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/


Reply via email to