[ovs-dev] [PATCH 1/3] bridge: Relax the whitelist format for punix path.

Ben Pfaff blp at nicira.com
Wed Aug 26 20:51:13 UTC 2015


On Fri, Aug 21, 2015 at 11:10:31PM -0700, Alex Wang wrote:
> This commit relaxes the whitelist format for punix path for
> service controller.  Instead of only allowing
> punix:<ovs_rundir>/<bridge_name>.controller, the new format
> allows any suffix, like punix:<ovs_rundir>/<bridge_name>.*.
> 
> Signed-off-by: Alex Wang <alexw at nicira.com>

I think there's still a bit of an issue here.  The goal here for punix
sockets is to avoid allowing a file to be overwritten.  I think that
requires both ensuring that the correct directory is in use and that
there are no .. components in the path.  One effectiveness way to do the
latter would to be make sure that there are no slashes following the
directory.



More information about the dev mailing list