Attention is currently required from: Hoernchen, laforge, neels, osmith.

dexter has posted comments on this change by dexter. ( https://gerrit.osmocom.org/c/pysim/+/42625?usp=email )

Change subject: osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22) ......................................................................

Patch Set 1:

(2 comments)

Patchset:

PS1: @neels and @laforge: I would suggest to filter the MatchinID according to SGP.22, section 4.1.1, but I am worried about compatibility. Please let me know what you think. (see also comment).

File osmo-smdpp.py:

https://gerrit.osmocom.org/c/pysim/+/42625/comment/b1cc06b0_dc56c827?usp=ema... : PS1, Line 643: if os.path.commonprefix((os.path.realpath(path),self.upp_dir)) != self.upp_dir:

The commit message doesn't make sense, given that there is `os.path. […]

Thanks for testing this. I didn't test it. I trusted the report as it seemed plausible.

In any case I think we should approach the problem differently. SGP.22, section 4.1.1 has a clear assumption on how a MachingID should look like. The spec is very clear that a MatchingID should only contain 0-9, A-Z, "-" and nothing else. We could just filter correctly and be free of all worries.

Unfortunately we have incompatible file names in the /smdp-data/upp directory. So we may either rename those files or use a less strict filter.

As a compromise, we could allow a-z, ., and _ in addition.

What do you think?