From 90687215a42b2e074f3b5a85cf344ca998fa34ac Mon Sep 17 00:00:00 2001 From: Sebastian Lackner Date: Fri, 24 Nov 2017 00:44:06 +0100 Subject: fusefrontend_reverse: Do not mix up cache information for different directories Fixes https://github.com/rfjakob/gocryptfs/issues/168 Steps to reproduce the problem: * Create a regular reverse mount point * Create files with the same very long name in multiple directories - so far everything works as expected, and it will appear with a different name each time, for example, gocryptfs.longname.A in directory A and gocryptfs.longname.B in directory B * Try to access a path with A/gocryptfs.longname.B or B/gocryptfs.longname.A - this should fail, but it actually works. The problem is that the longname cache only uses the path as key and not the dir or divIV. Assume an attacker can directly interact with a reverse mount and knows the relation longname path -> unencoded path in one directory, it allows to test if the same unencoded filename appears in any other directory. --- tests/reverse/ctlsock_test.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'tests/reverse') diff --git a/tests/reverse/ctlsock_test.go b/tests/reverse/ctlsock_test.go index c3ee121..d60fbde 100644 --- a/tests/reverse/ctlsock_test.go +++ b/tests/reverse/ctlsock_test.go @@ -35,10 +35,11 @@ func TestCtlSockPathOps(t *testing.T) { test_helpers.MountOrFatal(t, "ctlsock_reverse_test_fs", mnt, "-reverse", "-extpass", "echo test", "-ctlsock="+sock) defer test_helpers.UnmountPanic(mnt) var req ctlsock.RequestStruct + var response ctlsock.ResponseStruct for i, tc := range ctlSockTestCases { // Decrypt req = ctlsock.RequestStruct{DecryptPath: tc[0]} - response := test_helpers.QueryCtlSock(t, sock, req) + response = test_helpers.QueryCtlSock(t, sock, req) if response.ErrNo != 0 { t.Errorf("Testcase %d Decrypt: %q ErrNo=%d ErrText=%s", i, tc[0], response.ErrNo, response.ErrText) } else if response.Result != tc[1] { @@ -53,6 +54,18 @@ func TestCtlSockPathOps(t *testing.T) { t.Errorf("Testcase %d Encrypt: Want %q got %q", i, tc[1], response.Result) } } + // At this point the longname parent cache should be populated. + // Check that we do not mix up information for different directories. + req = ctlsock.RequestStruct{DecryptPath: "gocryptfs.longname.y6rxCn6Id8hIZL2t_STpdLZpu-aE2HpprJR25xD60mk="} + response = test_helpers.QueryCtlSock(t, sock, req) + if response.ErrNo != -1 { + t.Errorf("File should not exist: ErrNo=%d ErrText=%s", response.ErrNo, response.ErrText) + } + req = ctlsock.RequestStruct{DecryptPath: "v6puXntoQOk7Mhl8zJ4Idg==/gocryptfs.longname.ZQCAoi5li3xvDZRO8McBV0L_kzJc4IcAOEzuW-2S1Y4="} + response = test_helpers.QueryCtlSock(t, sock, req) + if response.ErrNo != -1 { + t.Errorf("File should not exist: ErrNo=%d ErrText=%s", response.ErrNo, response.ErrText) + } } // We should not panic when somebody feeds requests that make no sense -- cgit v1.2.3