Hi Tom,
(I am the upstream author of Polipo.)
I have just checked the sources of polipo 0.9.8-1, and this bug is
still present. This is a serious security bug, but is mitigated by
the Debian installation.
The bug allows anyone who has access to Polipo's local web server to
read any file that is readable by the Polipo process. The following
factors mitigate the threat:
- by default, Debian's Polipo only listens on 127.0.0.1;
- Polipo is run by the proxy user, who should not have access to any
critical files.
There is, as far as I know, no possibility of an attacker managing to
write a file.
You may work around the issue by adding the line
localDocumentRoot = ""
to the file /etc/polipo/config.
Still, I believe that this bug should definitely be fixed. Choices
include:
- applying the appended patch;
- upgrading to 0.9.9, which has been out since September 2005.
I hold no opinion on whether this bug should be marked release-critical.
Juliusz
--- /usr/local/src/polipo/polipo-stable-0.9/diskcache.c 2006-05-20 01:33:04.0000
00000 +0200
+++ polipo-0.9.8/diskcache.c 2004-10-25 22:26:37.000000000 +0200
@@ -264,14 +264,10 @@
if(n <= localDocumentRoot->length)
return -1;
- i = 0;
- if(key[i] != '/')
- return -1;
-
memcpy(buf, localDocumentRoot->string, localDocumentRoot->length);
- j = localDocumentRoot->length;
- if(buf[j - 1] == '/')
- j--;
+ i = 1; j = localDocumentRoot->length;
+ if(buf[j - 1] != '/')
+ buf[j++] = '/';
while(i < len) {
if(j >= n - 1)
Attachment:
pgph2KOVpD8QS.pgp
Description: PGP signature