libpsl: fix to not leak build-time PSL db filename into the binaries [ci skip]

vszakats · vszakats · commit 27fe69e7256a · 2025-11-14T04:30:09.000+01:00
To prevent libpsl trying to load it a runtime, insecurely, from
uncontrolled, potentially world-writable disk locations, and overriding
the embedded PSL database with it.

Fix by patching the code generated by the Python script shipping with
libpsl. Also verify that the filename is not present in the C source.

Explanation:

The libpsl script responsible for generating the embedded PSL data is
also including the local, built-time PSL data filename in the generated
C source. In case of curl-for-win this filename is a relative one.
When curl/libcurl calls `psl_latest()` to load the list, libpsl is
accessing this filename on disk, and if there is such file that's newer
than the embedded PSL data, it loads it. This filename in practice is
a relative one to the current working directory. It means that an
attacker can place an empty or doctored, new PSL database on disk and
override the embedded one with it.

Probably something to be fixed in upstream libpsl, possibly by allowing
to customize the filename that is being hard-coded (including to an
empty filename to prevent loading it), and/or allowing to disable the
dynamic loading feature fully.

(The latter would also fix the `stat()` use issue on Windows and
mingw-w64 v13.)
diff --git a/libpsl.sh b/libpsl.sh
@@ -23,7 +23,32 @@ _VER="$1"
   # Build manually
 
   # require the psl package, always
-  [ -f 'suffixes_dafsa.h' ] || python3 'src/psl-make-dafsa' --output-format=cxx+ "../psl/${_PSL}" 'suffixes_dafsa.h'
+  if [ ! -f 'suffixes_dafsa.h' ]; then
+    pslfile="../psl/${_PSL}"
+    gencsrc='suffixes_dafsa.h'
+    python3 'src/psl-make-dafsa' --output-format=cxx+ "${pslfile}" "${gencsrc}"
+    # The generator above is including the local PDL filename in the output.
+    # libpsl is then making an attemp to load this filename at runtime as-is
+    # and loading its content if its timestamp is newer than the embedded one.
+    # This is terrible idea in many use cases, including this one, because:
+    # - the filename is relative one.
+    # - this is loaded on the end user's machine, relative to their current
+    #   working directory.
+    # - which is by good chance world-writable, and for sure without any
+    #   guarantees for protection.
+    # - there is no universal location on disks that is not world-writable.
+    # - leaks this internal filename into the final binary.
+    # Similar case to OpenSSL configurations and CA bundles loaded from
+    # world-writable, or arbitrary places on disk (such as PATH), on Windows.
+    # To avoid these issues, strip the filename from the output to avoid
+    # loading it at runtime:
+    sed -i.bak -E 's/(_psl_filename\[\]) *=.+/\1 = "";/g' "${gencsrc}"
+    # Verify and abort if the filename is still found in the file
+    if grep -a -F "${pslfile}" "${gencsrc}"; then
+      echo "! Error: Our local PSL database filename is leaking into the libpsl code."
+      exit 1
+    fi
+  fi
 
   mkdir -p "${_BLDDIR}"
   (
