Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Change #274408

Category wget
Changed by Acts1631 <acts1631kjvohnoyoudont@proton.me>
Changed at Thu 09 Jul 2026 19:47:42
Repository https://gitlab.com/gnuwget/wget.git
Project wget
Branch master
Revision 6b5166521a95318648a64d09dbf23b27d979ac4e

Comments

ftp: reject unsafe symlink targets in directory listings
* src/ftp-ls.c: New function ftp_ls_unsafe_symlink_target(),
  (ftp_parse_unix_ls): Reject unsafe symlink targets.

ftp_parse_unix_ls() copied the target of a symlink entry (the text
after " -> " in a LIST response) verbatim into f->linkto, which is
later passed straight to symlink() when recreating the remote
directory tree locally (this only happens when the user has disabled
the safe default with --retr-symlinks=no; see CVE-2014-4877).  Because
the target was never validated, a malicious or compromised FTP server
could use an absolute path or a "../" sequence to make Wget create a
symlink pointing anywhere on the local filesystem.

Add ftp_ls_unsafe_symlink_target() and reject any symlink entry whose
target is an absolute path or contains a ".." path component (as an
exact path component, not merely the substring "..", so names like
"foo..bar" are unaffected).  The rejected entry is skipped, same as
any other malformed listing line.

Verified with a fake FTP server returning a LIST response with a
symlink pointing to /tmp/opencode/evil_target and to
../../../../etc/passwd while running with -r --retr-symlinks=no:
before the fix Wget creates the symlink outside the download tree;
after the fix the entry is skipped with a debug message.  Legitimate
relative symlinks (e.g. "somefile.txt", "foo..bar") continue to be
created as before.

Copyright-paperwork-exempt: Yes

Changed files