From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001 From: Darshit Shah Date: Sun, 07 Sep 2014 19:11:17 +0000 Subject: CVE-2014-4877: Arbitrary Symlink Access Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. This commit changes the default settings in Wget such that Wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the Wget invokation command. --- diff --git a/doc/wget.texi b/doc/wget.texi index aef1f80..d7a4c94 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask. @cindex symbolic links, retrieving @item --retr-symlinks -Usually, when retrieving @sc{ftp} directories recursively and a symbolic -link is encountered, the linked-to file is not downloaded. Instead, a -matching symbolic link is created on the local filesystem. The -pointed-to file will not be downloaded unless this recursive retrieval -would have encountered it separately and downloaded it anyway. - -When @samp{--retr-symlinks} is specified, however, symbolic links are -traversed and the pointed-to files are retrieved. At this time, this -option does not cause Wget to traverse symlinks to directories and -recurse through them, but in the future it should be enhanced to do -this. +By default, when retrieving @sc{ftp} directories recursively and a symbolic link +is encountered, the symbolic link is traversed and the pointed-to files are +retrieved. Currently, Wget does not traverse symbolic links to directories to +download them recursively, though this feature may be added in the future. + +When @samp{--retr-symlinks=no} is specified, the linked-to file is not +downloaded. Instead, a matching symbolic link is created on the local +filesystem. The pointed-to file will not be retrieved unless this recursive +retrieval would have encountered it separately and downloaded it anyway. This +option poses a security risk where a malicious FTP Server may cause Wget to +write to files outside of the intended directories through a specially crafted +@sc{.listing} file. Note that when retrieving a file (not a directory) because it was specified on the command-line, rather than because it was recursed to, diff --git a/src/init.c b/src/init.c index 09557af..3bdaa48 100644 --- a/src/init.c +++ b/src/init.c @@ -366,6 +366,22 @@ defaults (void) opt.dns_cache = true; opt.ftp_pasv = true; + /* 2014-09-07 Darshit Shah + * opt.retr_symlinks is set to true by default. Creating symbolic links on the + * local filesystem pose a security threat by malicious FTP Servers that + * server a specially crafted .listing file akin to this: + * + * lrwxrwxrwx 1 root root 33 Dec 25 2012 JoCxl6d8rFU -> / + * drwxrwxr-x 15 1024 106 4096 Aug 28 02:02 JoCxl6d8rFU + * + * A .listing file in this fashion makes Wget susceptiple to a symlink attack + * wherein the attacker is able to create arbitrary files, directories and + * symbolic links on the target system and even set permissions. + * + * Hence, by default Wget attempts to retrieve the pointed-to files and does + * not create the symbolic links locally. + */ + opt.retr_symlinks = true; #ifdef HAVE_SSL opt.check_cert = true; -- cgit v0.9.0.2