From: Alexey Tourbin <at@altlinux.ru>
To: ALT Linux Team development discussions <devel@lists.altlinux.org>
Subject: [devel] find-package: implemented protection against shell metacharacters and evil paths
Date: Mon, 10 Sep 2007 13:34:53 +0400
Message-ID: <20070910093453.GB6051@solemn.turbinal> (raw)
In-Reply-To: <20070909185403.GS6051@solemn.turbinal>
[-- Attachment #1: Type: text/plain, Size: 3619 bytes --]
On Sun, Sep 09, 2007 at 10:54:03PM +0400, Alexey Tourbin wrote:
> В пакете имеется всего один скрипт вида
> #!/bin/sh
> /usr/bin/*
>
> Шелл-анализатор считает "/usr/bin/*" командой (не отсеивает глоб):
>
> $ sh --rpm-requires -c '/usr/bin/*'
> executable(/usr/bin/*)
> $
>
> В таком виде это поступает на вход в shell.req. Из-за того, что старый
> (текущий) shell.req не работает в режиме -f, то там при определенной
> попытке разбить все полученные из --rpm-requires зависимости на слова
> выполняется реальный шелл-глоб:
>
> # Find requires
> found="$(FindReqs $reqs)"
>
> Здесь $reqs не только разбивается на слова, но и выполняется глоб,
> то есть /usr/bin/* среди $reqs фактически раскрывается во все-все
> файлы в /usr/bin. После этого запускается поиск зависимостей на все-все
> файлы в /usr/bin.
>
> Новый (мой not yet) shell.req работает в режиме -f, поэтому появляется
> неудовлетворенная зависимость на /usr/bin/* (sic!).
Update of /people/at/packages/rpm.git
Changes statistics since common ancestor `4.0.4-alt77-70-g9196764' follows:
scripts/find-package.in | 12 +++++++++---
scripts/shell.req.in | 3 ---
2 files changed, 9 insertions(+), 6 deletions(-)
Changelog since common ancestor `4.0.4-alt77-70-g9196764' follows:
commit 2b1c36538fafa3b9daea6334a304b963995ef9fd
Author: Alexey Tourbin <at@altlinux>
Date: Mon Sep 10 13:26:52 2007 +0400
find-package: implemented protection against shell metacharacters and evil paths
There are two possibilities for protection:
1) we should protect at least from very evil shell metacharacters,
like [$*], and also from [:cntrl:] (e.g. newline).
2) we can provide an exhaustive list of characters that are valid
for non-evil pathnames and commands, and issue mandatory warning
if the command or path appears to be evil.
I chose the latter approach.
Valid character range is 'A-Za-z0-9/@=.,:_+-'.
Note that (almost) all files from our base build system
are valid paths:
$ valid='A-Za-z0-9/@=.,:_+-'
$ hsh-run -- rpm -qal |grep "[^$valid]"
/usr/bin/[
/usr/share/man/man1/[.1.bz2
(contains no files)
(contains no files)
$
Later we'll see if the range of valid characters needs to be extended.
Full diff since common ancestor `4.0.4-alt77-70-g9196764' follows:
diff --git a/scripts/find-package.in b/scripts/find-package.in
index 3971d48..eb0333a 100755
--- a/scripts/find-package.in
+++ b/scripts/find-package.in
@@ -272,15 +272,21 @@ FindPackage()
local f="$1" r; shift || return
for r; do
local Verbose=Verbose
+ # Only these characters are allowed for pathnames or commands:
+ valid='A-Za-z0-9/@=.,:_+-'
case "$r" in
+ /*[!"$valid"]*)
+ Info "$f: invalid pathname: $r" ;;
/*)
FindByPath "$f" "$r" ;;
*/*)
- Info "$f: invalid pathname $r" ;;
+ Info "$f: invalid pathname: $r" ;;
-*)
- Info "$f: invalid command $r" ;;
+ Info "$f: invalid command: $r" ;;
+ *[!"$valid"]*)
+ Info "$f: invalid command: $r" ;;
'')
- ;;
+ Verbose "$f: empty command?"
*)
FindByName "$f" "$r" ;;
esac
diff --git a/scripts/shell.req.in b/scripts/shell.req.in
index 5cb790b..28611b5 100755
--- a/scripts/shell.req.in
+++ b/scripts/shell.req.in
@@ -61,9 +61,6 @@ ShellReq()
dname=${f#${RPM_BUILD_ROOT-}}
dname=${dname%/*}
for r in $reqs; do
- if [ -z "${r/*\$*}" ]; then
- continue
- fi
case "$(type -t -- "$r")" in
alias|keyword|function|builtin)
continue ;;
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2007-09-10 9:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-08 15:49 [devel] Fwd: [git update] packages/test-glob-req: heads/master Alexey Tourbin
2007-09-08 18:50 ` Michael Shigorin
2007-09-08 19:52 ` Alexey Tourbin
2007-09-08 20:00 ` [devel] [JT] zsh nonomatch by default pls :) Michael Shigorin
2007-09-08 20:10 ` Alexey Tourbin
2007-09-09 17:21 ` Michael Shigorin
2007-09-09 18:40 ` [devel] Fwd: [git update] packages/test-glob-req: heads/master Slava Semushin
2007-09-09 18:54 ` Alexey Tourbin
2007-09-10 9:34 ` Alexey Tourbin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070910093453.GB6051@solemn.turbinal \
--to=at@altlinux.ru \
--cc=devel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git