Follow-up Comment #7, bug #61009 (project findutils):
>> find . -type f | xargs -F -IX -n1 cp -f X $IMGDIR_DST/X
>>
>> I can't find any problem with unsafe filenames. Am i wrong?
Yes:
The idiom 'find -type f | xargs -IX cp X ...' is per se unsafe:
`xargs -I` reads the input line by line - but yes, files can
have a newline in their name!
Here's a reproducer using exactly your command line (without the
hypothetical -F option, obviously) to copy /etc/passwd ... although
that's for sure not what the user wants:
$ rm -rf src dst # cleanup.
# Create a directory with in the SRC directory with a newline in the name,
# and initialize the DST directory.
$ mkdir -pv src/file$'\n'/etc dst/etc
mkdir: created directory 'src'
mkdir: created directory 'src/file'$'\n'
mkdir: created directory 'src/file'$'\n''/etc'
mkdir: created directory 'dst'
mkdir: created directory 'dst/etc'
$ cd src
$ IMGDIR_DST=../dst
# Create a dummy 'passwd' file therein.
$ echo DUMMY > file$'\n'/etc/passwd
# Add a dummy file which will hide that cp(1) will copy the wrong file.
$ echo HACKED > file
# Run the vulnerable command.
$ find . -type f | xargs -IX -n1 cp -f X $IMGDIR_DST/X
$ grep -R HACKED $IMGDIR_DST
../dst/file:HACKED
$ grep -RF $(whoami) $IMGDIR_DST
../dst/etc/passwd:victim:x:1003:100::/home/victim:/bin/bash
The safest way to avoid this problem is to let find(1) execute the program
directly, i.e., without the 'find | xargs' idiom.
Alternatively, use 'find ... -print0 | xargs -0 ...' instead.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61009>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
