|
|
5f7b57 |
From 239c4f7d1f47265526b39ad70106767d00805277 Mon Sep 17 00:00:00 2001
|
|
|
5f7b57 |
From: Jakub Filak <jfilak@redhat.com>
|
|
|
5f7b57 |
Date: Thu, 23 Apr 2015 13:30:15 +0200
|
|
|
5f7b57 |
Subject: [LIBREPORT PATCH] dd: harden functions against directory traversal
|
|
|
5f7b57 |
issues
|
|
|
5f7b57 |
|
|
|
5f7b57 |
Test correctness of all accessed dump dir files in all dd* functions.
|
|
|
5f7b57 |
Before this commit, the callers were allowed to pass strings like
|
|
|
5f7b57 |
"../../etc/shadow" in the filename argument of all dd* functions.
|
|
|
5f7b57 |
|
|
|
5f7b57 |
Related: #1214457
|
|
|
5f7b57 |
|
|
|
5f7b57 |
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
|
|
5f7b57 |
---
|
|
|
5f7b57 |
src/lib/create_dump_dir.c | 19 ++++++++++++-------
|
|
|
5f7b57 |
src/lib/dump_dir.c | 22 ++++++++++++++++++++++
|
|
|
5f7b57 |
2 files changed, 34 insertions(+), 7 deletions(-)
|
|
|
5f7b57 |
|
|
|
5f7b57 |
diff --git a/src/lib/create_dump_dir.c b/src/lib/create_dump_dir.c
|
|
|
5f7b57 |
index 4f67523..989a50c 100644
|
|
|
5f7b57 |
--- a/src/lib/create_dump_dir.c
|
|
|
5f7b57 |
+++ b/src/lib/create_dump_dir.c
|
|
|
5f7b57 |
@@ -42,6 +42,12 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
|
|
|
5f7b57 |
return NULL;
|
|
|
5f7b57 |
}
|
|
|
5f7b57 |
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(type))
|
|
|
5f7b57 |
+ {
|
|
|
5f7b57 |
+ error_msg(_("'%s' is not correct file name"), FILENAME_ANALYZER);
|
|
|
5f7b57 |
+ return NULL;
|
|
|
5f7b57 |
+ }
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
uid_t uid = (uid_t)-1L;
|
|
|
5f7b57 |
char *uid_str = problem_data_get_content_or_NULL(problem_data, FILENAME_UID);
|
|
|
5f7b57 |
|
|
|
5f7b57 |
@@ -105,6 +111,12 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
|
|
|
5f7b57 |
g_hash_table_iter_init(&iter, problem_data);
|
|
|
5f7b57 |
while (g_hash_table_iter_next(&iter, (void**)&name, (void**)&value))
|
|
|
5f7b57 |
{
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ {
|
|
|
5f7b57 |
+ error_msg("Problem data field name contains disallowed chars: '%s'", name);
|
|
|
5f7b57 |
+ continue;
|
|
|
5f7b57 |
+ }
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
if (value->flags & CD_FLAG_BIN)
|
|
|
5f7b57 |
{
|
|
|
5f7b57 |
char *dest = concat_path_file(dd->dd_dirname, name);
|
|
|
5f7b57 |
@@ -119,13 +131,6 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,
|
|
|
5f7b57 |
continue;
|
|
|
5f7b57 |
}
|
|
|
5f7b57 |
|
|
|
5f7b57 |
- /* only files should contain '/' and those are handled earlier */
|
|
|
5f7b57 |
- if (name[0] == '.' || strchr(name, '/'))
|
|
|
5f7b57 |
- {
|
|
|
5f7b57 |
- error_msg("Problem data field name contains disallowed chars: '%s'", name);
|
|
|
5f7b57 |
- continue;
|
|
|
5f7b57 |
- }
|
|
|
5f7b57 |
-
|
|
|
5f7b57 |
dd_save_text(dd, name, value->content);
|
|
|
5f7b57 |
}
|
|
|
5f7b57 |
|
|
|
5f7b57 |
diff --git a/src/lib/dump_dir.c b/src/lib/dump_dir.c
|
|
|
5f7b57 |
index 2a65100..0048faf 100644
|
|
|
5f7b57 |
--- a/src/lib/dump_dir.c
|
|
|
5f7b57 |
+++ b/src/lib/dump_dir.c
|
|
|
5f7b57 |
@@ -345,6 +345,9 @@ static inline struct dump_dir *dd_init(void)
|
|
|
5f7b57 |
|
|
|
5f7b57 |
int dd_exist(const struct dump_dir *dd, const char *path)
|
|
|
5f7b57 |
{
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(path))
|
|
|
5f7b57 |
+ error_msg_and_die("Cannot test existence. '%s' is not a valid file name", path);
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
char *full_path = concat_path_file(dd->dd_dirname, path);
|
|
|
5f7b57 |
int ret = exist_file_dir(full_path);
|
|
|
5f7b57 |
free(full_path);
|
|
|
5f7b57 |
@@ -1044,6 +1047,13 @@ char* dd_load_text_ext(const struct dump_dir *dd, const char *name, unsigned fla
|
|
|
5f7b57 |
// if (!dd->locked)
|
|
|
5f7b57 |
// error_msg_and_die("dump_dir is not opened"); /* bug */
|
|
|
5f7b57 |
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ {
|
|
|
5f7b57 |
+ error_msg("Cannot load text. '%s' is not a valid file name", name);
|
|
|
5f7b57 |
+ if (!(flags & DD_LOAD_TEXT_RETURN_NULL_ON_FAILURE))
|
|
|
5f7b57 |
+ xfunc_die();
|
|
|
5f7b57 |
+ }
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
/* Compat with old abrt dumps. Remove in abrt-2.1 */
|
|
|
5f7b57 |
if (strcmp(name, "release") == 0)
|
|
|
5f7b57 |
name = FILENAME_OS_RELEASE;
|
|
|
5f7b57 |
@@ -1065,6 +1075,9 @@ void dd_save_text(struct dump_dir *dd, const char *name, const char *data)
|
|
|
5f7b57 |
if (!dd->locked)
|
|
|
5f7b57 |
error_msg_and_die("dump_dir is not opened"); /* bug */
|
|
|
5f7b57 |
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ error_msg_and_die("Cannot save text. '%s' is not a valid file name", name);
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
char *full_path = concat_path_file(dd->dd_dirname, name);
|
|
|
5f7b57 |
save_binary_file(full_path, data, strlen(data), dd->dd_uid, dd->dd_gid, dd->mode);
|
|
|
5f7b57 |
free(full_path);
|
|
|
5f7b57 |
@@ -1075,6 +1088,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns
|
|
|
5f7b57 |
if (!dd->locked)
|
|
|
5f7b57 |
error_msg_and_die("dump_dir is not opened"); /* bug */
|
|
|
5f7b57 |
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ error_msg_and_die("Cannot save binary. '%s' is not a valid file name", name);
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
char *full_path = concat_path_file(dd->dd_dirname, name);
|
|
|
5f7b57 |
save_binary_file(full_path, data, size, dd->dd_uid, dd->dd_gid, dd->mode);
|
|
|
5f7b57 |
free(full_path);
|
|
|
5f7b57 |
@@ -1082,6 +1098,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns
|
|
|
5f7b57 |
|
|
|
5f7b57 |
long dd_get_item_size(struct dump_dir *dd, const char *name)
|
|
|
5f7b57 |
{
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ error_msg_and_die("Cannot get item size. '%s' is not a valid file name", name);
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
long size = -1;
|
|
|
5f7b57 |
char *iname = concat_path_file(dd->dd_dirname, name);
|
|
|
5f7b57 |
struct stat statbuf;
|
|
|
5f7b57 |
@@ -1106,6 +1125,9 @@ int dd_delete_item(struct dump_dir *dd, const char *name)
|
|
|
5f7b57 |
if (!dd->locked)
|
|
|
5f7b57 |
error_msg_and_die("dump_dir is not opened"); /* bug */
|
|
|
5f7b57 |
|
|
|
5f7b57 |
+ if (!str_is_correct_filename(name))
|
|
|
5f7b57 |
+ error_msg_and_die("Cannot delete item. '%s' is not a valid file name", name);
|
|
|
5f7b57 |
+
|
|
|
5f7b57 |
char *path = concat_path_file(dd->dd_dirname, name);
|
|
|
5f7b57 |
int res = unlink(path);
|
|
|
5f7b57 |
|
|
|
5f7b57 |
--
|
|
|
5f7b57 |
1.8.3.1
|
|
|
5f7b57 |
|