commit e062c17e3829f3c04c25b5f6fc17ccc4491befa8

Author: Tomas Bzatek <tbzatek@redhat.com>

Date:   Tue Mar 23 16:48:08 2021 +0100

    modules: Limit module name to alphanumeric characters and -_ separators

    A hardening feature as long as the module name is directly involved

    in filename creation.

diff --git a/doc/udisks2-sections.txt.daemon.sections.in b/doc/udisks2-sections.txt.daemon.sections.in

index 16eaf74e..204ca897 100644

--- a/doc/udisks2-sections.txt.daemon.sections.in

+++ b/doc/udisks2-sections.txt.daemon.sections.in

@@ -312,6 +312,7 @@ udisks_daemon_util_get_free_mdraid_device

 udisks_ata_identify_get_word

 udisks_daemon_util_trigger_uevent

 udisks_daemon_util_trigger_uevent_sync

+udisks_module_validate_name

 </SECTION>

 <SECTION>

diff --git a/src/udisksconfigmanager.c b/src/udisksconfigmanager.c

index 9558e276..5868e864 100644

--- a/src/udisksconfigmanager.c

+++ b/src/udisksconfigmanager.c

@@ -26,6 +26,7 @@

 #include "udiskslogging.h"

 #include "udisksdaemontypes.h"

 #include "udisksconfigmanager.h"

+#include "udisksdaemonutil.h"

 struct _UDisksConfigManager {

   GObject parent_instance;

@@ -60,6 +61,8 @@ enum

 #define DEFAULTS_GROUP_NAME "defaults"

 #define DEFAULTS_ENCRYPTION_KEY "encryption"

+#define MODULES_ALL_ARG "*"

+

 static void

 udisks_config_manager_get_property (GObject    *object,

                                     guint       property_id,

@@ -170,7 +173,16 @@ parse_config_file (UDisksConfigManager         *manager,

             {

               modules_tmp = modules;

               for (module_i = *modules_tmp; module_i; module_i = *++modules_tmp)

-                *out_modules = g_list_append (*out_modules, g_strdup (g_strstrip (module_i)));

+                {

+                  g_strstrip (module_i);

+                  if (! udisks_module_validate_name (module_i) && !g_str_equal (module_i, MODULES_ALL_ARG))

+                    {

+                      g_warning ("Invalid module name '%s' specified in the %s config file.",

+                                 module_i, conf_filename);

+                      continue;

+                    }

+                  *out_modules = g_list_append (*out_modules, g_strdup (module_i));

+                }

               g_strfreev (modules);

             }

         }

@@ -397,7 +409,7 @@ udisks_config_manager_get_modules_all (UDisksConfigManager *manager)

   parse_config_file (manager, NULL, NULL, &modules);

-  ret = !modules || (g_strcmp0 (modules->data, "*") == 0 && g_list_length (modules) == 1);

+  ret = !modules || (g_strcmp0 (modules->data, MODULES_ALL_ARG) == 0 && g_list_length (modules) == 1);

   g_list_free_full (modules, (GDestroyNotify) g_free);

diff --git a/src/udisksdaemonutil.c b/src/udisksdaemonutil.c

index 60134765..1695b524 100644

--- a/src/udisksdaemonutil.c

+++ b/src/udisksdaemonutil.c

@@ -1880,3 +1880,29 @@ udisks_daemon_util_trigger_uevent_sync (UDisksDaemon *daemon,

 }

 /* ---------------------------------------------------------------------------------------------------- */

+

+/**

+ * udisks_module_validate_name:

+ * @module_name: A udisks2 module name.

+ *

+ * Checks the string for a valid udisks2 module name. Only alphanumeric characters

+ * along with the '-' and '_' separators are permitted.

+ *

+ * Returns: %TRUE if the string is a valid udisks2 module name, %FALSE otherwise.

+ */

+gboolean

+udisks_module_validate_name (const gchar *module_name)

+{

+  int i;

+

+  for (i = 0; module_name[i] != '\0'; i++)

+    /* going ASCII, will disqualify any UTF-* string */

+    if (! g_ascii_isalnum (module_name[i]) &&

+        module_name[i] != '-' &&

+        module_name[i] != '_')

+      return FALSE;

+

+  return TRUE;

+}

+

+/* ---------------------------------------------------------------------------------------------------- */

diff --git a/src/udisksdaemonutil.h b/src/udisksdaemonutil.h

index 2d7ac981..df584de4 100644

--- a/src/udisksdaemonutil.h

+++ b/src/udisksdaemonutil.h

@@ -129,6 +129,8 @@ gchar *udisks_daemon_util_get_free_mdraid_device (void);

 guint16 udisks_ata_identify_get_word (const guchar *identify_data, guint word_number);

+gboolean udisks_module_validate_name (const gchar *module_name);

+

 /* Utility macro for policy verification. */

 #define UDISKS_DAEMON_CHECK_AUTHORIZATION(daemon,                   \

                                           object,                   \

diff --git a/src/udiskslinuxmanager.c b/src/udiskslinuxmanager.c

index 8af65d97..26d8a5d7 100644

--- a/src/udiskslinuxmanager.c

+++ b/src/udiskslinuxmanager.c

@@ -956,6 +956,15 @@ handle_enable_module (UDisksManager         *object,

   UDisksLinuxManager *manager = UDISKS_LINUX_MANAGER (object);

   EnableModulesData *data;

+  if (! udisks_module_validate_name (arg_name))

+    {

+      g_dbus_method_invocation_return_error (invocation,

+                                             G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT,

+                                             "Requested module name '%s' is not a valid udisks2 module name.",

+                                             arg_name);

+      return TRUE;

+    }

+

   if (! arg_enable)

     {

       /* TODO: implement proper module unloading */