dbus: add some more safety checks before accepting data from bus clients
This commit is contained in:
parent
07c289875f
commit
0b507b17a7
|
@ -451,6 +451,14 @@ static DBusHandlerResult hostname_message_handler(
|
||||||
} else {
|
} else {
|
||||||
char *h;
|
char *h;
|
||||||
|
|
||||||
|
/* The icon name might ultimately be
|
||||||
|
* used as file name, so better be
|
||||||
|
* safe than sorry */
|
||||||
|
if (k == PROP_ICON_NAME && !filename_is_safe(name))
|
||||||
|
return bus_send_error_reply(connection, message, NULL, -EINVAL);
|
||||||
|
if (k == PROP_PRETTY_HOSTNAME && !string_is_safe(name))
|
||||||
|
return bus_send_error_reply(connection, message, NULL, -EINVAL);
|
||||||
|
|
||||||
h = strdup(name);
|
h = strdup(name);
|
||||||
if (!h)
|
if (!h)
|
||||||
goto oom;
|
goto oom;
|
||||||
|
|
|
@ -314,7 +314,7 @@ void server_process_native_file(
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strchr(e, '/')) {
|
if (!filename_is_safe(e)) {
|
||||||
log_error("Received file in subdirectory of allowed directories. Refusing.");
|
log_error("Received file in subdirectory of allowed directories. Refusing.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1039,7 +1039,9 @@ static DBusHandlerResult locale_message_handler(
|
||||||
size_t k;
|
size_t k;
|
||||||
|
|
||||||
k = strlen(names[p]);
|
k = strlen(names[p]);
|
||||||
if (startswith(*i, names[p]) && (*i)[k] == '=') {
|
if (startswith(*i, names[p]) &&
|
||||||
|
(*i)[k] == '=' &&
|
||||||
|
string_is_safe((*i) + k + 1)) {
|
||||||
valid = true;
|
valid = true;
|
||||||
passed[p] = true;
|
passed[p] = true;
|
||||||
|
|
||||||
|
@ -1150,6 +1152,10 @@ static DBusHandlerResult locale_message_handler(
|
||||||
if (!streq_ptr(keymap, state.vc_keymap) ||
|
if (!streq_ptr(keymap, state.vc_keymap) ||
|
||||||
!streq_ptr(keymap_toggle, state.vc_keymap_toggle)) {
|
!streq_ptr(keymap_toggle, state.vc_keymap_toggle)) {
|
||||||
|
|
||||||
|
if ((keymap && (!filename_is_safe(keymap) || !string_is_safe(keymap))) ||
|
||||||
|
(keymap_toggle && (!filename_is_safe(keymap_toggle) || !string_is_safe(keymap_toggle))))
|
||||||
|
return bus_send_error_reply(connection, message, NULL, -EINVAL);
|
||||||
|
|
||||||
r = verify_polkit(connection, message, "org.freedesktop.locale1.set-keyboard", interactive, NULL, &error);
|
r = verify_polkit(connection, message, "org.freedesktop.locale1.set-keyboard", interactive, NULL, &error);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return bus_send_error_reply(connection, message, &error, r);
|
return bus_send_error_reply(connection, message, &error, r);
|
||||||
|
@ -1220,6 +1226,12 @@ static DBusHandlerResult locale_message_handler(
|
||||||
!streq_ptr(variant, state.x11_variant) ||
|
!streq_ptr(variant, state.x11_variant) ||
|
||||||
!streq_ptr(options, state.x11_options)) {
|
!streq_ptr(options, state.x11_options)) {
|
||||||
|
|
||||||
|
if ((layout && !string_is_safe(layout)) ||
|
||||||
|
(model && !string_is_safe(model)) ||
|
||||||
|
(variant && !string_is_safe(variant)) ||
|
||||||
|
(options && !string_is_safe(options)))
|
||||||
|
return bus_send_error_reply(connection, message, NULL, -EINVAL);
|
||||||
|
|
||||||
r = verify_polkit(connection, message, "org.freedesktop.locale1.set-keyboard", interactive, NULL, &error);
|
r = verify_polkit(connection, message, "org.freedesktop.locale1.set-keyboard", interactive, NULL, &error);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return bus_send_error_reply(connection, message, &error, r);
|
return bus_send_error_reply(connection, message, &error, r);
|
||||||
|
|
|
@ -56,6 +56,7 @@
|
||||||
#include <sys/mman.h>
|
#include <sys/mman.h>
|
||||||
#include <sys/vfs.h>
|
#include <sys/vfs.h>
|
||||||
#include <linux/magic.h>
|
#include <linux/magic.h>
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
@ -5851,3 +5852,39 @@ void closedirp(DIR **d) {
|
||||||
void umaskp(mode_t *u) {
|
void umaskp(mode_t *u) {
|
||||||
umask(*u);
|
umask(*u);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool filename_is_safe(const char *p) {
|
||||||
|
|
||||||
|
if (isempty(p))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (strchr(p, '/'))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (streq(p, "."))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (streq(p, ".."))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (strlen(p) > FILENAME_MAX)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool string_is_safe(const char *p) {
|
||||||
|
const char *t;
|
||||||
|
|
||||||
|
assert(p);
|
||||||
|
|
||||||
|
for (t = p; *t; t++) {
|
||||||
|
if (*p < ' ')
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (strchr("\\\"\'", *p))
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
|
@ -558,3 +558,6 @@ _malloc_ static inline void *memdup_multiply(const void *p, size_t a, size_t b)
|
||||||
|
|
||||||
return memdup(p, a * b);
|
return memdup(p, a * b);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool filename_is_safe(const char *p);
|
||||||
|
bool string_is_safe(const char *p);
|
||||||
|
|
Loading…
Reference in a new issue