From: "Omar Polo" Subject: Re: gotwebd request path validation for -portable To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Mon, 08 Sep 2025 14:37:41 +0200 Stefan Sperling wrote: > Block gotwebd requests with paths that point at repositories outside > the server's assigned repository directory. This is needed for -portable > where we cannot assume that chroot or unveil would prevent such access. > > There is no problem on OpenBSD because unveil(2) already prevents this. > > At present this is an accidental leak of unrelated repositories which > a system running gotwebd might have somewhere on disk where the _gotwebd > user can read them. Once we add authentication to gotwebd this bug could > potentially be used to bypass authentication. > > This fix applies early defenses in the query parser and when gotwebd looks > up repositories on disk in case the query parser's verification is bypassed > somehow. Is this good enough? > > ok? nice catch, ok op@ i'd prefer if the two function would have a different name to avoid confusion, but the types are different so it's ok. > (Tehnically the HEADREF is not a path and could have much stricter checks > applied to it. But got_ref_open will already do those additional checks.)