[bug #13853] creation of archive with attachments writes over symlinks

2005-08-23 17:56:55

Follow-up Comment #3, bug #13853 (project mhonarc):

The symlink check is done to prevent local symlink attacks.

Somebody else recently reported a problem with mhonarc's behavior:
Please post a follow-up to the report providing specifics of your
case.  Also provide any diagnostic messages mhonarc produces
(for symlink stuff, mhonarc should generate a warning or error).

I see the "is a symlink, will try to replace..." message.

The problem is only if the final pathname component is a symlink.
A work-around is to not have the attachment directory be a symlink.

If I understand your problem correctly, I am guessing that you
have attachments being placed in the same location as the archive
directory.  And the archive directory is actually a symlink?

The archive directory is a symlink. Attachments are supposed to be placed in
a subdir, underneath the archive directory. I have not 100% verified that
this is what is happening, but have anecdotal evidence that makes me 85%

==== originally sent to mhonarc-users ====

Recently a colleague and I were doing some filespace juggling and
moved some mhonarc archives around. Specifically, we moved an archive
to a new parition and then made a symlink at the old location.  That
didn't go so well.

Most messages archived fine, then we hit one that had an attachment
and tried to create a directory to put the attachment in. Well, that
triggered some unusual code in that decided to delete the
symlink, create an empty directory, then mhonarc got confused as to
why all the message pages had disappeared. Everything went downhill
from there.

I'm not sure what intention of this code is, but at least for me it's
kind of dangerous and we were lucky to catch the issue right away.
We've commented out the portion of code, and seem to be ok. But maybe
it is something worth revisiting for the next mhonarc release.



   ## Check if $path is a symlink
   if (-l $path) {
       # symlink, try to delete
       warn qq/Warning: "$path" is a symlink, will try to replace...\n/;
       if (!unlink($path)) {
           die qq/ERROR: "$path" is a symlink, unable to remove: $!\n/;
   } elsif (-e $path) {
       die qq/ERROR: "$path" is not a directory: $!\n/  if !(-d _);
       # already exists, nothing to do


Reply to this item at:


  Message sent via/by Savannah

To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the

<Prev in Thread] Current Thread [Next in Thread>
  • [bug #13853] creation of archive with attachments writes over symlinks, Jeff Breidenbach <=