CVE-2014-4877: Arbitrary Symlink Access

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP. This commit changes the
default settings in Wget such that Wget no longer creates local symbolic
links, but rather traverses them and retrieves the pointed-to file in
such a retrieval.

The old behaviour can be attained by passing the --retr-symlinks=no
option to the Wget invokation command.

doc/ChangeLog

@@ -1,3 +1,9 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+	* wget.texi (symbolic links): Update documentation of retr-symlinks to
+	reflect the new default. Add warning about potential security issues with
+	--retr-symlinks=yes.
+
 2014-10-16  Tim Ruehsen  <tim.ruehsen@gmx.de>
 
 	* wget.texi (Download Options): update --secure-protocol description

doc/wget.texi

@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
 
 @cindex symbolic links, retrieving
 @item --retr-symlinks
-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
-link is encountered, the linked-to file is not downloaded.  Instead, a
+is encountered, the symbolic link is traversed and the pointed-to files are
-matching symbolic link is created on the local filesystem.  The
+retrieved.  Currently, Wget does not traverse symbolic links to directories to
-pointed-to file will not be downloaded unless this recursive retrieval
+download them recursively, though this feature may be added in the future.
-would have encountered it separately and downloaded it anyway.
 
-When @samp{--retr-symlinks} is specified, however, symbolic links are
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
-traversed and the pointed-to files are retrieved.  At this time, this
+downloaded.  Instead, a matching symbolic link is created on the local
-option does not cause Wget to traverse symlinks to directories and
+filesystem.  The pointed-to file will not be retrieved unless this recursive
-recurse through them, but in the future it should be enhanced to do
+retrieval would have encountered it separately and downloaded it anyway.  This
-this.
+option poses a security risk where a malicious FTP Server may cause Wget to
+write to files outside of the intended directories through a specially crafted
+@sc{.listing} file.
 
 Note that when retrieving a file (not a directory) because it was
 specified on the command-line, rather than because it was recursed to,

src/ChangeLog

@@ -1,3 +1,8 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+	* init.c (defaults): Set retr-symlinks to true by default. This changes a
+	default setting of wget. Fixes security bug CVE-2014-4877
+
 2014-10-08 Nikolay Morozov <n.morozov@securitycode.ru>
 	   Sergey Lvov <s.lvov@securitycode.ru>
 

src/init.c

@@ -366,6 +366,22 @@ defaults (void)
 
   opt.dns_cache = true;
   opt.ftp_pasv = true;
+  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
+   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
+   * local filesystem pose a security threat by malicious FTP Servers that
+   * server a specially crafted .listing file akin to this:
+   *
+   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
+   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
+   *
+   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
+   * wherein the attacker is able to create arbitrary files, directories and
+   * symbolic links on the target system and even set permissions.
+   *
+   * Hence, by default Wget attempts to retrieve the pointed-to files and does
+   * not create the symbolic links locally.
+   */
+  opt.retr_symlinks = true;
 
 #ifdef HAVE_SSL
   opt.check_cert = true;