Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update) from Marcos Caceres on 2009-03-17 (public-webapps@w3.org from January to March 2009)

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 17 Mar 2009 12:14:39 +0100
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, Frederick Hirsch <Frederick.Hirsch@nokia.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <b21a10670903170414r733667aele897525f3109cc1b@mail.gmail.com>

On Thu, Mar 12, 2009 at 6:27 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Mark,
>
>>>"Implementations that store the content of widget archives to the file >>system during signature verification MUST NOT trust any path components of >>file names present in the archive, to avoid overwriting of arbitrary files >>during signature verification."
>>>
>>>{Comment] I don't understand this sentence - which may well be a problem >>with my understanding rather than the sentence - please can you enlighten >>me, thanks.
> I assume it is as follows:
>
> 1. Imagine the WUA is processing a widget archive, i.e. a zip file where each file has its associate relative path.
>
> ZIP spec contains the following text:
>
> file name: (Variable)
>
>          The name of the file, with optional relative path.
>          The path stored should not contain a drive or
>          device letter, or a leading slash.
> I.e. the path may be virtually any string.

Yep. Don't know if this helps, but in the packaging we define the
notion of a "file entry", which is essentially, the file name (path),
and the compressed data.

> 2. Prior to signature verification the archive is untrusted.

right. In the packaging spec, we call this a potential zip archive and
a potential widget archive, IIRC.

> 3. Next, let's assume WUA is configured to store the temporary files from the widget archive (storage may be necessary for devices with limited RAM) in a folder like C:/widgetplayer (e.g. on Win32/WinCE).
>
> 4. Then a file from a widget archive could have a path like "../windows/XXX".
>
> 5. As for me the text says that the path should be ignored when processing the signature to prevent WUA from storing the files e.g. in a sensitive folder like "c:/windows/" as it could be the case when combining the above paths.
>

This sounds like an implementation detail. A warning note to
implementers should be sufficient to address this.


-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 17 March 2009 11:15:26 UTC