Change #274408
| Category | wget |
| Changed by | Acts1631 <acts1631kjv@proton.me> |
| Changed at | Thu 09 Jul 2026 19:47:42 |
| Repository | https://gitlab.com/gnuwget/wget.git |
| Project | wget |
| Branch | master |
| Revision | 6b5166521a95318648a64d09dbf23b27d979ac4e |
Comments
ftp: reject unsafe symlink targets in directory listings * src/ftp-ls.c: New function ftp_ls_unsafe_symlink_target(), (ftp_parse_unix_ls): Reject unsafe symlink targets. ftp_parse_unix_ls() copied the target of a symlink entry (the text after " -> " in a LIST response) verbatim into f->linkto, which is later passed straight to symlink() when recreating the remote directory tree locally (this only happens when the user has disabled the safe default with --retr-symlinks=no; see CVE-2014-4877). Because the target was never validated, a malicious or compromised FTP server could use an absolute path or a "../" sequence to make Wget create a symlink pointing anywhere on the local filesystem. Add ftp_ls_unsafe_symlink_target() and reject any symlink entry whose target is an absolute path or contains a ".." path component (as an exact path component, not merely the substring "..", so names like "foo..bar" are unaffected). The rejected entry is skipped, same as any other malformed listing line. Verified with a fake FTP server returning a LIST response with a symlink pointing to /tmp/opencode/evil_target and to ../../../../etc/passwd while running with -r --retr-symlinks=no: before the fix Wget creates the symlink outside the download tree; after the fix the entry is skipped with a debug message. Legitimate relative symlinks (e.g. "somefile.txt", "foo..bar") continue to be created as before. Copyright-paperwork-exempt: Yes
Changed files
- src/ftp-ls.c