krb5/krb5-1.3-ftp-glob.patch
cvsdist 0b77dc9b0b auto-import changelog data from krb5-1.3.1-6.src.rpm
Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-6
- fix bug in patch to make rlogind start login with a clean environment a
    la netkit rlogin, spotted and fixed by Scott McClung
Tue Sep 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-5
- include profile.d scriptlets in krb5-devel so that krb5-config will be in
    the path, reported by Kir Kolyshkin
Mon Sep 08 2003 Nalin Dahyabhai <nalin@redhat.com>
- add more etypes (arcfour) to the default enctype list in kdc.conf
- don't apply previous patch, refused upstream
Fri Sep 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-4
- fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials
Wed Sep 03 2003 Dan Walsh <dwalsh@redhat.com> 1.3.1-3
- Don't check for write access on /etc/krb5.conf if SELinux
Tue Aug 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-2
- fixup some int/pointer varargs wackiness
Tue Aug 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-1
- rebuild
Mon Aug 04 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-0
- update to 1.3.1
Thu Jul 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-2
- pull fix for non-compliant encoding of salt field in etype-info2 preauth
    data from 1.3.1 beta 1, until 1.3.1 is released.
Mon Jul 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-1
- update to 1.3
Mon Jul 07 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-4
- correctly use stdargs
Wed Jun 18 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-0.beta.4
- test update to 1.3 beta 4
- ditch statglue build option
- krb5-devel requires e2fsprogs-devel, which now provides libss and
    libcom_err
Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
Wed May 21 2003 Jeremy Katz <katzj@redhat.com> 1.2.8-2
- gcc 3.3 doesn't implement varargs.h, include stdarg.h instead
Wed Apr 09 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-1
- update to 1.2.8
2004-09-09 07:16:22 +00:00

282 lines
6.7 KiB
Diff

--- krb5-1.3/src/appl/gssftp/ftp/cmds.c
+++ krb5-1.3/src/appl/gssftp/ftp/cmds.c
@@ -99,6 +99,65 @@
static void quote1 (char *, int, char **);
static char *dotrans (char *);
static char *domap (char *);
+static int checkglob(int fd, const char *pattern);
+
+/*
+ * pipeprotect: protect against "special" local filenames by prepending
+ * "./". Special local filenames are "-" and "|..." AND "/...".
+ */
+static char *pipeprotect(char *name)
+{
+ char *nu;
+ if (strcmp(name, "-") && *name!='|' && *name!='/') {
+ return name;
+ }
+
+ /* We're going to leak this memory. XXX. */
+ nu = malloc(strlen(name)+3);
+ if (nu==NULL) {
+ perror("malloc");
+ code = -1;
+ return NULL;
+ }
+ strcpy(nu, ".");
+ if (*name != '/') strcat(nu, "/");
+ strcat(nu, name);
+ return nu;
+}
+
+/*
+ * Look for embedded ".." in a pathname and change it to "!!", printing
+ * a warning.
+ */
+static char *pathprotect(char *name)
+{
+ int gotdots=0, i, len;
+
+ /* Convert null terminator to trailing / to catch a trailing ".." */
+ len = strlen(name)+1;
+ name[len-1] = '/';
+
+ /*
+ * State machine loop. gotdots is < 0 if not looking at dots,
+ * 0 if we just saw a / and thus might start getting dots,
+ * and the count of dots seen so far if we have seen some.
+ */
+ for (i=0; i<len; i++) {
+ if (name[i]=='.' && gotdots>=0) gotdots++;
+ else if (name[i]=='/' && gotdots<0) gotdots=0;
+ else if (name[i]=='/' && gotdots==2) {
+ printf("Warning: embedded .. in %.*s (changing to !!)\n",
+ len-1, name);
+ name[i-1] = '!';
+ name[i-2] = '!';
+ gotdots = 0;
+ }
+ else if (name[i]=='/') gotdots = 0;
+ else gotdots = -1;
+ }
+ name[len-1] = 0;
+ return name;
+}
/*
* `Another' gets another argument, and stores the new argc and argv.
@@ -844,7 +903,15 @@
if (argc == 2) {
argc++;
- argv[2] = argv[1];
+ /*
+ * Protect the user from accidentally retrieving special
+ * local names.
+ */
+ argv[2] = pipeprotect(argv[1]);
+ if (!argv[2]) {
+ code = -1;
+ return 0;
+ }
loc++;
}
if (argc < 2 && !another(&argc, &argv, "remote-file"))
@@ -1016,8 +1083,19 @@
if (mapflag) {
tp = domap(tp);
}
- recvrequest("RETR", tp, cp, "w",
- tp != cp || !interactive, 1);
+
+ /* Reject embedded ".." */
+ tp = pathprotect(tp);
+
+ /* Prepend ./ to "-" or "!*" or leading "/" */
+ tp = pipeprotect(tp);
+ if (tp == NULL) {
+ /* hmm... how best to handle this? */
+ mflag = 0;
+ } else {
+ recvrequest("RETR", tp, cp, "w",
+ tp != cp || !interactive, 1);
+ }
if (!mflag && fromatty) {
ointer = interactive;
interactive = 1;
@@ -1045,8 +1123,8 @@
static char buf[MAXPATHLEN];
static FILE *ftemp = NULL;
static char **args;
- int oldverbose, oldhash;
- char *cp, *rmode;
+ int oldverbose, oldhash, badglob = 0;
+ char *cp;
if (!mflag) {
if (!doglob) {
@@ -1075,23 +1153,46 @@
return (NULL);
}
#else
- (void) strncpy(temp, _PATH_TMP, sizeof(temp) - 1);
- temp[sizeof(temp) - 1] = '\0';
- (void) mktemp(temp);
+ int oldumask, fd;
+ (void) strcpy(temp, _PATH_TMP);
+
+ /* libc 5.2.18 creates with mode 0666, which is dumb */
+ oldumask = umask(077);
+ fd = mkstemp(temp);
+ umask(oldumask);
+
+ if (fd<0) {
+ printf("Error creating temporary file, oops\n");
+ return NULL;
+ }
#endif /* !_WIN32 */
oldverbose = verbose, verbose = 0;
oldhash = hash, hash = 0;
if (doswitch) {
pswitch(!proxy);
}
- for (rmode = "w"; *++argv != NULL; rmode = "a")
- recvrequest ("NLST", temp, *argv, rmode, 0, 0);
+
+ while (*++argv != NULL) {
+ int dupfd = dup(fd);
+
+ recvrequest ("NLST", temp, *argv, "a", 0, 0);
+ if (!checkglob(dupfd, *argv)) {
+ badglob = 1;
+ break;
+ }
+ }
+ unlink(temp);
+
if (doswitch) {
pswitch(!proxy);
}
verbose = oldverbose; hash = oldhash;
- ftemp = fopen(temp, "r");
- (void) unlink(temp);
+ if (badglob) {
+ printf("Refusing to handle insecure file list\n");
+ close(fd);
+ return NULL;
+ }
+ ftemp = fdopen(fd, "r");
#ifdef _WIN32
free(temp);
temp = NULL;
@@ -1100,6 +1201,7 @@
printf("can't find list of remote files, oops\n");
return (NULL);
}
+ rewind(ftemp);
}
if (fgets(buf, sizeof (buf), ftemp) == NULL) {
(void) fclose(ftemp), ftemp = NULL;
@@ -1110,6 +1212,100 @@
return (buf);
}
+/*
+ * Check whether given pattern matches `..'
+ * We assume only a glob pattern starting with a dot will match
+ * dot entries on the server.
+ */
+static int
+isdotdotglob(const char *pattern)
+{
+ int havedot = 0;
+ char c;
+
+ if (*pattern++ != '.')
+ return 0;
+ while ((c = *pattern++) != '\0' && c != '/') {
+ if (c == '*' || c == '?')
+ continue;
+ if (c == '.' && havedot++)
+ return 0;
+ }
+ return 1;
+}
+
+/*
+ * This function makes sure the list of globbed files returned from
+ * the server doesn't contain anything dangerous such as
+ * /home/<yourname>/.forward, or ../.forward,
+ * or |mail foe@doe </etc/passwd, etc.
+ * Covered areas:
+ * - returned name starts with / but glob pattern doesn't
+ * - glob pattern starts with / but returned name doesn't
+ * - returned name starts with |
+ * - returned name contains .. in a position where glob
+ * pattern doesn't match ..
+ * I.e. foo/.* allows foo/../bar but not foo/.bar/../fly
+ *
+ * Note that globbed names starting with / should really be stored
+ * under the current working directory; this is handled in mget above.
+ * --okir
+ */
+static int
+checkglob(int fd, const char *pattern)
+{
+ const char *sp;
+ char buffer[MAXPATHLEN], dotdot[MAXPATHLEN];
+ int okay = 1, nrslash, initial, nr;
+ FILE *fp;
+
+ /* Find slashes in glob pattern, and verify whether component
+ * matches `..'
+ */
+ initial = (pattern[0] == '/');
+ for (sp = pattern, nrslash = 0; sp != 0; sp = strchr(sp, '/')) {
+ while (*sp == '/')
+ sp++;
+ if (nrslash >= MAXPATHLEN) {
+ printf("Incredible pattern: %s\n", pattern);
+ return 0;
+ }
+ dotdot[nrslash++] = isdotdotglob(sp);
+ }
+
+ fp = fdopen(fd, "r");
+ while (okay && fgets(buffer, sizeof(buffer), fp) != NULL) {
+ char *sp;
+
+ if ((sp = strchr(buffer, '\n')) != 0) {
+ *sp = '\0';
+ } else {
+ printf("Extremely long filename from server: %s",
+ buffer);
+ okay = 0;
+ break;
+ }
+ if (buffer[0] == '|'
+ || (buffer[0] != '/' && initial)
+ || (buffer[0] == '/' && !initial))
+ okay = 0;
+ for (sp = buffer, nr = 0; sp; sp = strchr(sp, '/'), nr++) {
+ while (*sp == '/')
+ sp++;
+ if (sp[0] == '.' && !strncmp(sp, "../", 3)
+ && (nr >= nrslash || !dotdot[nr]))
+ okay = 0;
+ }
+ }
+
+ if (!okay)
+ printf("Filename provided by server "
+ "doesn't match pattern `%s': %s\n", pattern, buffer);
+
+ fclose(fp);
+ return okay;
+}
+
static char *
onoff(bool)
int bool;