| View previous topic :: View next topic |
| Author |
Message |
dmg Voice
Joined: 20 Apr 2009 Posts: 5
|
Posted: Mon Apr 20, 2009 9:17 pm Post subject: dccsend with arguments security issue [SOLVED] |
|
|
Hi guys!
I'm a beginner at tcl scripting and i've made a script that looks something like this:
| Code: |
set chan "#ascii"
set botdir "/home/dmg/hosee2"
set rootdir "$botdir/filesys"
set scrver "getdiz"
set author "dmg"
bind pub v !get get_file
proc get_file { nick uhost hand chan args } {
global rootdir
global scrver
global author
regsub -all -nocase {[^[:alnum:][][$\\]._()!'?^-]} [lindex $args 0] {} arg
if { [llength $arg] != 1 } {
putchan $chan "Usage: !get \[\[path\] <filename>\]"
return 0
} else {
set find "$rootdir/$arg"
set send [dccsend $find $nick]
putchan $chan "requesting transfer of $arg to $nick"
if { [passwdok $hand ""] == 1 } {
putchan $chan "you have to set a password (or maybe you must identify yourself?)."
return 0
}
if { $send == 0 } { putchan $chan "\002ok!\002 sending file" }
if { $send == 1 } { putchan $chan "too many connections. try again later)" }
if { $send == 2 } { putchan $chan "can't open a socket for the transfer. try again later" }
if { $send == 3 } { putchan $chan "the file $arg \002does not exist\002 (maybe you entered the wrong path?)" }
if { $send == 4 } { putchan $chan "too many simultanious transfers. putting file in queue" }
putchan $chan "---==(\\/)- $scrver by $author -(\\/)==---"
return 1
}
}
putlog "$scrver by $author"
|
Everything is fine and dandy except that i found out that it will accept any kind of argument to it so using !get ../../filename or whichever path/file not limited by local rights settings would be possible.
My question is: How could i limit the script/argument to refuse access outside of the $rootdir variable?
..oh, and if you wonder, the regexp is because the files in my archive (ascii art), can sometimes have crazy characters in the filename.
Please be gentle with me since i haven't quite understood how everything works and what everything does yet 
Last edited by dmg on Mon Apr 20, 2009 10:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
raider2k Op
Joined: 01 Jan 2008 Posts: 140
|
Posted: Mon Apr 20, 2009 9:49 pm Post subject: |
|
|
maybe i didnt quite understand what you want to do, but what i understood until now is that you want users ONLY have access to $rootdir and below but nowhere else than $rootdir and below?
if thats the case i dont see anything wrong because $rootdir is "hardcoded" and since you are using $arg as an addition to $rootdir your users will get "jailed" into $rootdir anyway.
correct me if i got something wrong
edit:
what you COULD do to limit ../../ is to add:
| Code: |
if { [regexp -all -nocase -- {\.\./} $arg] } {
putlog "wrong path"
return 0
}
|
|
|
| Back to top |
|
 |
dmg Voice
Joined: 20 Apr 2009 Posts: 5
|
Posted: Mon Apr 20, 2009 9:56 pm Post subject: |
|
|
yea
Any user with access to the !get command and a known filename could use it like this f.i.:
03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---
so they don't seem to be jailed to the $rootdir (as i too thought first).
edit:
thx! i'll try playing around with that!  |
|
| Back to top |
|
 |
raider2k Op
Joined: 01 Jan 2008 Posts: 140
|
Posted: Mon Apr 20, 2009 10:00 pm Post subject: |
|
|
| Quote: | 03:54 <@dMG> !get ../../../../etc/passwd
03:54 <@hosee2> requesting transfer of ../../../../etc/passwd to dMG
03:54 <@hosee2> ok! sending file
03:54 <@hosee2> ---==(\/)- getdiz by dmg -(\/)==---
|
woah lol
yup thats really a nice one
try the possible solution i gave you, should work out fine, if not try
| Code: |
if { [string equal -nocase "*../*" $arg] } {
putlog "wrong path"
return 0
}
|
theres always more than one way to solve something  |
|
| Back to top |
|
 |
dmg Voice
Joined: 20 Apr 2009 Posts: 5
|
Posted: Mon Apr 20, 2009 10:07 pm Post subject: |
|
|
Thank you very much for your help. The first example worked just fine!
Isn't that the beauty with scripting and programming that you're almost never limited to a single way to solve things  |
|
| Back to top |
|
 |
raider2k Op
Joined: 01 Jan 2008 Posts: 140
|
Posted: Mon Apr 20, 2009 10:11 pm Post subject: |
|
|
definately ^^
<3 tcl  |
|
| Back to top |
|
 |
|