--- doc/wget.texi_orig 2014-11-04 17:51:03 +0500 +++ doc/wget.texi 2014-11-04 17:52:37 +0500 @@ -1242,17 +1242,18 @@ @cindex symbolic links, retrieving @item --retr-symlinks -Usually, when retrieving @sc{ftp} directories recursively and a symbolic -link is encountered, the linked-to file is not downloaded. Instead, a -matching symbolic link is created on the local filesystem. The -pointed-to file will not be downloaded unless this recursive retrieval -would have encountered it separately and downloaded it anyway. +By default, when retrieving @sc{ftp} directories recursively and a symbolic link +is encountered, the symbolic link is traversed and the pointed-to files are +retrieved. Currently, Wget does not traverse symbolic links to directories to +download them recursively, though this feature may be added in the future. -When @samp{--retr-symlinks} is specified, however, symbolic links are -traversed and the pointed-to files are retrieved. At this time, this -option does not cause Wget to traverse symlinks to directories and -recurse through them, but in the future it should be enhanced to do -this. +When @samp{--retr-symlinks=no} is specified, the linked-to file is not +downloaded. Instead, a matching symbolic link is created on the local +filesystem. The pointed-to file will not be retrieved unless this recursive +retrieval would have encountered it separately and downloaded it anyway. This +option poses a security risk where a malicious FTP Server may cause Wget to +write to files outside of the intended directories through a specially crafted +@sc{.listing} file. Note that when retrieving a file (not a directory) because it was specified on the command-line, rather than because it was recursed to, --- src/init.c_orig 2014-11-04 17:52:56 +0500 +++ src/init.c 2014-11-04 18:02:21 +0500 @@ -286,6 +286,23 @@ opt.dots_in_line = 50; opt.dns_cache = 1; + /* 2014-09-07 Darshit Shah + * opt.retr_symlinks is set to true by default. Creating symbolic links on the + * local filesystem pose a security threat by malicious FTP Servers that + * server a specially crafted .listing file akin to this: + * + * lrwxrwxrwx 1 root root 33 Dec 25 2012 JoCxl6d8rFU -> / + * drwxrwxr-x 15 1024 106 4096 Aug 28 02:02 JoCxl6d8rFU + * + * A .listing file in this fashion makes Wget susceptiple to a symlink attack + * wherein the attacker is able to create arbitrary files, directories and + * symbolic links on the target system and even set permissions. + * + * Hence, by default Wget attempts to retrieve the pointed-to files and does + * not create the symbolic links locally. + */ + opt.retr_symlinks = 1; + /* The default for file name restriction defaults to the OS type. */ #if !defined(WINDOWS) && !defined(__CYGWIN__) --- src/ftp.c_orig 2014-11-04 18:02:40 +0500 +++ src/ftp.c 2014-11-04 18:06:07 +0500 @@ -1607,6 +1607,30 @@ return 0; } +/* Test if the file node is invalid. This can occur due to malformed or + * maliciously crafted listing files being returned by the server. + * + * Currently, this function only tests if there are multiple entries in the + * listing file by the same name. However this function can be expanded as more + * such illegal listing formats are discovered. */ +static int +is_invalid_entry (struct fileinfo *f) +{ + struct fileinfo *cur; + char *f_name = f->name; + cur = f; + /* If the node we're currently checking has a duplicate later, we eliminate + * the current node and leave the next one intact. */ + while (cur->next) + { + cur = cur->next; + if (strcmp(f_name, cur->name) == 0) + return 1; + } + return 0; +} + + /* A near-top-level function to retrieve the files in a directory. The function calls ftp_get_listing, to get a linked list of files. Then it weeds out the file names that do not match the pattern. @@ -1642,11 +1666,11 @@ f = f->next; } } - /* Remove all files with possible harmful names */ + /* Remove all files with possible harmful names or invalid entries. */ f = start; while (f) { - if (has_insecure_name_p (f->name)) + if (has_insecure_name_p (f->name) || is_invalid_entry (f)) { logprintf (LOG_VERBOSE, _("Rejecting `%s'.\n"), f->name); f = delelement (f, &start);