W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update)

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 17 Mar 2009 12:14:39 +0100
Message-ID: <b21a10670903170414r733667aele897525f3109cc1b@mail.gmail.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, Frederick Hirsch <Frederick.Hirsch@nokia.com>, WebApps WG <public-webapps@w3.org>
On Thu, Mar 12, 2009 at 6:27 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Mark,
>>>"Implementations that store the content of widget archives to the file >>system during signature verification MUST NOT trust any path components of >>file names present in the archive, to avoid overwriting of arbitrary files >>during signature verification."
>>>{Comment] I don't understand this sentence - which may well be a problem >>with my understanding rather than the sentence - please can you enlighten >>me, thanks.
> I assume it is as follows:
> 1. Imagine the WUA is processing a widget archive, i.e. a zip file where each file has its associate relative path.
> ZIP spec contains the following text:
> file name: (Variable)
>          The name of the file, with optional relative path.
>          The path stored should not contain a drive or
>          device letter, or a leading slash.
> I.e. the path may be virtually any string.

Yep. Don't know if this helps, but in the packaging we define the
notion of a "file entry", which is essentially, the file name (path),
and the compressed data.

> 2. Prior to signature verification the archive is untrusted.

right. In the packaging spec, we call this a potential zip archive and
a potential widget archive, IIRC.

> 3. Next, let's assume WUA is configured to store the temporary files from the widget archive (storage may be necessary for devices with limited RAM) in a folder like C:/widgetplayer (e.g. on Win32/WinCE).
> 4. Then a file from a widget archive could have a path like "../windows/XXX".
> 5. As for me the text says that the path should be ignored when processing the signature to prevent WUA from storing the files e.g. in a sensitive folder like "c:/windows/" as it could be the case when combining the above paths.

This sounds like an implementation detail. A warning note to
implementers should be sufficient to address this.

Marcos Caceres
Received on Tuesday, 17 March 2009 11:15:26 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC