CVE-2023-35852-1
commit
aee1523b4591430ebed1ded0bb95508e6717a335
Author: Jason Ish <jason.ish@oisf.net>
Date: Tue May 23 15:17:59 2023 -0600
datasets: don't allow absolute or paths with directory traversal
For dataset filenames coming from rules, do not allow filenames that
are absolute or contain a directory traversal with "..". This prevents
datasets from escaping the define data-directory which may allow a bad
rule to overwrite any file that Suricata has permission to write to.
Add a new configuration option,
"datasets.rules.allow-absolute-filenames" to allow absolute filenames
in dataset rules. This will be a way to revert back to the pre 6.0.13
behavior where save/state rules could use any filename.
Ticket: #6118
Gbp-Pq: Name CVE-2023-35852-1.patch
projects / suricata.git / commit