Blame SOURCES/0130-dd-harden-functions-against-directory-traversal-issu.patch

5f7b57
From 239c4f7d1f47265526b39ad70106767d00805277 Mon Sep 17 00:00:00 2001
5f7b57
From: Jakub Filak <jfilak@redhat.com>
5f7b57
Date: Thu, 23 Apr 2015 13:30:15 +0200
5f7b57
Subject: [LIBREPORT PATCH] dd: harden functions against directory traversal
5f7b57
 issues
5f7b57
5f7b57
Test correctness of all accessed dump dir files in all dd* functions.
5f7b57
Before this commit, the callers were allowed to pass strings like
5f7b57
"../../etc/shadow" in the filename argument of all dd* functions.
5f7b57
5f7b57
Related: #1214457
5f7b57
5f7b57
Signed-off-by: Jakub Filak <jfilak@redhat.com>
5f7b57
---
5f7b57
 src/lib/create_dump_dir.c | 19 ++++++++++++-------
5f7b57
 src/lib/dump_dir.c        | 22 ++++++++++++++++++++++
5f7b57
 2 files changed, 34 insertions(+), 7 deletions(-)
5f7b57
5f7b57
diff --git a/src/lib/create_dump_dir.c b/src/lib/create_dump_dir.c
5f7b57
index 4f67523..989a50c 100644
5f7b57
--- a/src/lib/create_dump_dir.c
5f7b57
+++ b/src/lib/create_dump_dir.c
5f7b57
@@ -42,6 +42,12 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
5f7b57
         return NULL;
5f7b57
     }
5f7b57
 
5f7b57
+    if (!str_is_correct_filename(type))
5f7b57
+    {
5f7b57
+        error_msg(_("'%s' is not correct file name"), FILENAME_ANALYZER);
5f7b57
+        return NULL;
5f7b57
+    }
5f7b57
+
5f7b57
     uid_t uid = (uid_t)-1L;
5f7b57
     char *uid_str = problem_data_get_content_or_NULL(problem_data, FILENAME_UID);
5f7b57
 
5f7b57
@@ -105,6 +111,12 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
5f7b57
     g_hash_table_iter_init(&iter, problem_data);
5f7b57
     while (g_hash_table_iter_next(&iter, (void**)&name, (void**)&value))
5f7b57
     {
5f7b57
+        if (!str_is_correct_filename(name))
5f7b57
+        {
5f7b57
+            error_msg("Problem data field name contains disallowed chars: '%s'", name);
5f7b57
+            continue;
5f7b57
+        }
5f7b57
+
5f7b57
         if (value->flags & CD_FLAG_BIN)
5f7b57
         {
5f7b57
             char *dest = concat_path_file(dd->dd_dirname, name);
5f7b57
@@ -119,13 +131,6 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
5f7b57
             continue;
5f7b57
         }
5f7b57
 
5f7b57
-        /* only files should contain '/' and those are handled earlier */
5f7b57
-        if (name[0] == '.' || strchr(name, '/'))
5f7b57
-        {
5f7b57
-            error_msg("Problem data field name contains disallowed chars: '%s'", name);
5f7b57
-            continue;
5f7b57
-        }
5f7b57
-
5f7b57
         dd_save_text(dd, name, value->content);
5f7b57
     }
5f7b57
 
5f7b57
diff --git a/src/lib/dump_dir.c b/src/lib/dump_dir.c
5f7b57
index 2a65100..0048faf 100644
5f7b57
--- a/src/lib/dump_dir.c
5f7b57
+++ b/src/lib/dump_dir.c
5f7b57
@@ -345,6 +345,9 @@ static inline struct dump_dir *dd_init(void)
5f7b57
 
5f7b57
 int dd_exist(const struct dump_dir *dd, const char *path)
5f7b57
 {
5f7b57
+    if (!str_is_correct_filename(path))
5f7b57
+        error_msg_and_die("Cannot test existence. '%s' is not a valid file name", path);
5f7b57
+
5f7b57
     char *full_path = concat_path_file(dd->dd_dirname, path);
5f7b57
     int ret = exist_file_dir(full_path);
5f7b57
     free(full_path);
5f7b57
@@ -1044,6 +1047,13 @@ char* dd_load_text_ext(const struct dump_dir *dd, const char *name, unsigned fla
5f7b57
 //    if (!dd->locked)
5f7b57
 //        error_msg_and_die("dump_dir is not opened"); /* bug */
5f7b57
 
5f7b57
+    if (!str_is_correct_filename(name))
5f7b57
+    {
5f7b57
+        error_msg("Cannot load text. '%s' is not a valid file name", name);
5f7b57
+        if (!(flags & DD_LOAD_TEXT_RETURN_NULL_ON_FAILURE))
5f7b57
+            xfunc_die();
5f7b57
+    }
5f7b57
+
5f7b57
     /* Compat with old abrt dumps. Remove in abrt-2.1 */
5f7b57
     if (strcmp(name, "release") == 0)
5f7b57
         name = FILENAME_OS_RELEASE;
5f7b57
@@ -1065,6 +1075,9 @@ void dd_save_text(struct dump_dir *dd, const char *name, const char *data)
5f7b57
     if (!dd->locked)
5f7b57
         error_msg_and_die("dump_dir is not opened"); /* bug */
5f7b57
 
5f7b57
+    if (!str_is_correct_filename(name))
5f7b57
+        error_msg_and_die("Cannot save text. '%s' is not a valid file name", name);
5f7b57
+
5f7b57
     char *full_path = concat_path_file(dd->dd_dirname, name);
5f7b57
     save_binary_file(full_path, data, strlen(data), dd->dd_uid, dd->dd_gid, dd->mode);
5f7b57
     free(full_path);
5f7b57
@@ -1075,6 +1088,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns
5f7b57
     if (!dd->locked)
5f7b57
         error_msg_and_die("dump_dir is not opened"); /* bug */
5f7b57
 
5f7b57
+    if (!str_is_correct_filename(name))
5f7b57
+        error_msg_and_die("Cannot save binary. '%s' is not a valid file name", name);
5f7b57
+
5f7b57
     char *full_path = concat_path_file(dd->dd_dirname, name);
5f7b57
     save_binary_file(full_path, data, size, dd->dd_uid, dd->dd_gid, dd->mode);
5f7b57
     free(full_path);
5f7b57
@@ -1082,6 +1098,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns
5f7b57
 
5f7b57
 long dd_get_item_size(struct dump_dir *dd, const char *name)
5f7b57
 {
5f7b57
+    if (!str_is_correct_filename(name))
5f7b57
+        error_msg_and_die("Cannot get item size. '%s' is not a valid file name", name);
5f7b57
+
5f7b57
     long size = -1;
5f7b57
     char *iname = concat_path_file(dd->dd_dirname, name);
5f7b57
     struct stat statbuf;
5f7b57
@@ -1106,6 +1125,9 @@ int dd_delete_item(struct dump_dir *dd, const char *name)
5f7b57
     if (!dd->locked)
5f7b57
         error_msg_and_die("dump_dir is not opened"); /* bug */
5f7b57
 
5f7b57
+    if (!str_is_correct_filename(name))
5f7b57
+        error_msg_and_die("Cannot delete item. '%s' is not a valid file name", name);
5f7b57
+
5f7b57
     char *path = concat_path_file(dd->dd_dirname, name);
5f7b57
     int res = unlink(path);
5f7b57
 
5f7b57
-- 
5f7b57
1.8.3.1
5f7b57