From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
From: Darshit Shah <darnir@gmail.com>
Date: Sun, 07 Sep 2014 19:11:17 +0000
Subject: CVE-2014-4877: Arbitrary Symlink Access

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP. This commit changes the
default settings in Wget such that Wget no longer creates local symbolic
links, but rather traverses them and retrieves the pointed-to file in
such a retrieval.

The old behaviour can be attained by passing the --retr-symlinks=no
option to the Wget invokation command.
---
Index: wget-1.13.4/doc/ChangeLog
===================================================================
--- wget-1.13.4.orig/doc/ChangeLog	2014-10-30 08:58:58.000000000 +0100
+++ wget-1.13.4/doc/ChangeLog	2014-10-30 09:58:12.000000000 +0100
@@ -1,3 +1,9 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+       * wget.texi (symbolic links): Update documentation of retr-symlinks to
+       reflect the new default. Add warning about potential security issues with
+       --retr-symlinks=yes.
+
 2011-08-18  Giuseppe Scrivano  <gscrivano@gnu.org>
 
 	* texi2pod.pl: Don't assume the perl executable is under /usr/bin/.
Index: wget-1.13.4/doc/wget.texi
===================================================================
--- wget-1.13.4.orig/doc/wget.texi	2014-10-30 08:58:58.000000000 +0100
+++ wget-1.13.4/doc/wget.texi	2014-10-30 08:58:58.000000000 +0100
@@ -1739,17 +1739,18 @@
 
 @cindex symbolic links, retrieving
 @item --retr-symlinks
-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
-link is encountered, the linked-to file is not downloaded.  Instead, a
-matching symbolic link is created on the local filesystem.  The
-pointed-to file will not be downloaded unless this recursive retrieval
-would have encountered it separately and downloaded it anyway.
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
+is encountered, the symbolic link is traversed and the pointed-to files are
+retrieved.  Currently, Wget does not traverse symbolic links to directories to
+download them recursively, though this feature may be added in the future.
 
-When @samp{--retr-symlinks} is specified, however, symbolic links are
-traversed and the pointed-to files are retrieved.  At this time, this
-option does not cause Wget to traverse symlinks to directories and
-recurse through them, but in the future it should be enhanced to do
-this.
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
+downloaded.  Instead, a matching symbolic link is created on the local
+filesystem.  The pointed-to file will not be retrieved unless this recursive
+retrieval would have encountered it separately and downloaded it anyway.  This
+option poses a security risk where a malicious FTP Server may cause Wget to
+write to files outside of the intended directories through a specially crafted
+@sc{.listing} file.
 
 Note that when retrieving a file (not a directory) because it was
 specified on the command-line, rather than because it was recursed to,
Index: wget-1.13.4/src/ChangeLog
===================================================================
--- wget-1.13.4.orig/src/ChangeLog	2014-10-30 08:58:58.000000000 +0100
+++ wget-1.13.4/src/ChangeLog	2014-10-30 10:02:32.000000000 +0100
@@ -1,3 +1,8 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+       * init.c (defaults): Set retr-symlinks to true by default. This changes a
+       default setting of wget. Fixes security bug CVE-2014-4877
+
 2011-09-13  Giuseppe Scrivano  <gscrivano@gnu.org>
 
 	* ftp.c (ftp_retrieve_glob): Propagate correctly the `res' error
Index: wget-1.13.4/src/init.c
===================================================================
--- wget-1.13.4.orig/src/init.c	2014-10-30 08:58:58.000000000 +0100
+++ wget-1.13.4/src/init.c	2014-10-30 08:58:58.000000000 +0100
@@ -332,6 +332,22 @@
 
   opt.dns_cache = true;
   opt.ftp_pasv = true;
+  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
+   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
+   * local filesystem pose a security threat by malicious FTP Servers that
+   * server a specially crafted .listing file akin to this:
+   *
+   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
+   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
+   *
+   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
+   * wherein the attacker is able to create arbitrary files, directories and
+   * symbolic links on the target system and even set permissions.
+   *
+   * Hence, by default Wget attempts to retrieve the pointed-to files and does
+   * not create the symbolic links locally.
+   */
+  opt.retr_symlinks = true;
 
 #ifdef HAVE_SSL
   opt.check_cert = true;