rpc: Prevent dumpwallet from overwriting files#9937
Conversation
|
concept ACK |
|
Important fix. |
|
utACK 1307cd79b859f01a35d68dea9a674e56451f75f5 |
|
The change as written now allows to test the existence of any file. |
|
only downside I see to this is an in automated backup that leaves files behind, your backup will stop and you might not notice. (I think that is a preferable failure mode to what we have now) |
That seems preferable to overwriting any file, right? I tend to agree that being able to write arbitrary non-existing files is still a security risk, but it is tons better than what we have now. Do you have a suggestion that would avoid this usage but still offers the same functionality?
Suggestion: simply append a counter, or a date, or uniq-id. This is safer, too. Note that it throws an exception when the attempt fails, so if you don't notice you're not handling errors at all, which is dangerous for a ton of other reasons too. |
|
Updated the RPC help, too. |
We could make the check even stricter, only allowing writing of files within the data directory, or even better a |
|
What about this: if there is a file already present, add a timestamp to the file name and save. |
|
Yeah that could work... |
|
Closing this, feel free to implement a different solution, have no time for this at the moment. |
|
Reopening this and rebasing, I think this is basically a good fix, and was closed for unimportant concerns (compared to the problem it solves), and no one picked it up subsequently. |
laanwj
force-pushed
the
2017_03_walletdump_nooverwrite
branch
from
47d8fc5 to
cc928c5
Compare
src/wallet/rpcdump.cpp
Outdated
There was a problem hiding this comment.
What if a dumpwallet is executed after this check with the same filename, or the filename is created by other means? IMO we should use fopen with wx mode where x stands for:
File access mode flag "x" can optionally be appended to "w" or "w+" specifiers. This flag forces the function to fail if the file exists, instead of overwriting it. (C11)
and drop exists() test.
There was a problem hiding this comment.
I'm not terribly worried about race conditions here, just about overwriting existing files such as the wallet.
There was a problem hiding this comment.
Yes, the comment should have paranoia label..
|
Concept ACK |
|
And there is also the option to make the filename optional, where the default value is |
jnewbery
left a comment
jnewbery
left a comment
There was a problem hiding this comment.
Concept ACK, but currently fails to build :(
A few comments inline.
src/wallet/rpcdump.cpp
Outdated
There was a problem hiding this comment.
This help text is misleading. The relative path is relative to the directory from where bitcoind was started.
(really I think we should disallow relative paths entirely unless they're relative to some fixed point like the datadir)
There was a problem hiding this comment.
I agree relative paths should ideally be relative to the datadir (or refused altogether - at the least we should be consistent about them). However I am not changing that functionality here, and am also not touching this comment here.
src/wallet/rpcdump.cpp
Outdated
There was a problem hiding this comment.
nit: I don't think this needs such a long comment. Just say we don't allow files to be overwritten for safety.
There was a problem hiding this comment.
Meh, better too long than too short.
src/wallet/rpcdump.cpp
Outdated
There was a problem hiding this comment.
filename should be filepath?
Yes, many other things are possible. I'm not going to do that here. That's the reason I closed this before. However I only want to solve the overwrite problem here, which is not solved by making up filenames, only by refusing to overwrite files. |
Prevent arbitrary files from being overwritten. There have been reports that users have overwritten wallet files this way. It may also avoid other security issues. Fixes bitcoin#9934. Adds mention to release notes and adds a test.
laanwj
force-pushed
the
2017_03_walletdump_nooverwrite
branch
from
cc928c5 to
0cd9273
Compare
|
Tested ACK 0cd9273 |
|
Requires release notes (although this is fixing up undefined behaviour, there may be users who currently rely on that behaviour) |
A release notes change is already part of the PR. |
0cd9273 rpc: Prevent `dumpwallet` from overwriting files (Wladimir J. van der Laan) Pull request description: Prevent arbitrary files from being overwritten by `dumpwallet`. There have been reports that users have overwritten wallet files this way. It may also avoid other security issues. Fixes #9934. Adds mention to release notes and adds a test. Tree-SHA512: 268c98636d40924d793b55a685a0b419bafd834ad369edaec08227ebe26ed4470ddea73008d1c4beb10ea445db1b0bb8e3546ba8fc2d1a411ebd4a0de8ce9120
Prevent arbitrary files from being overwritten. There have been reports that users have overwritten wallet files this way. It may also avoid other security issues. Fixes bitcoin#9934. Adds mention to release notes and adds a test. Github-Pull: bitcoin#9937 Rebased-From: 0cd9273
|
@laanwj I also pushed this to the backports pull for 0.15.1 |
0cd9273 rpc: Prevent `dumpwallet` from overwriting files (Wladimir J. van der Laan) Pull request description: Prevent arbitrary files from being overwritten by `dumpwallet`. There have been reports that users have overwritten wallet files this way. It may also avoid other security issues. Fixes bitcoin#9934. Adds mention to release notes and adds a test. Tree-SHA512: 268c98636d40924d793b55a685a0b419bafd834ad369edaec08227ebe26ed4470ddea73008d1c4beb10ea445db1b0bb8e3546ba8fc2d1a411ebd4a0de8ce9120
9 participants
Prevent arbitrary files from being overwritten by
dumpwallet. There have been reports that users have overwritten wallet files this way. It may also avoid other security issues.Fixes #9934. Adds mention to release notes and adds a test.