From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 10 Sep 2007 13:34:53 +0400 From: Alexey Tourbin To: ALT Linux Team development discussions Message-ID: <20070910093453.GB6051@solemn.turbinal> Mail-Followup-To: ALT Linux Team development discussions References: <20070908154915.GE6051@solemn.turbinal> <75e139a00709091140h509748c2n572fcf6d0df1b429@mail.gmail.com> <20070909185403.GS6051@solemn.turbinal> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HIPflPGvV5kKjZ73" Content-Disposition: inline In-Reply-To: <20070909185403.GS6051@solemn.turbinal> Subject: [devel] find-package: implemented protection against shell metacharacters and evil paths X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2007 09:35:05 -0000 Archived-At: List-Archive: List-Post: --HIPflPGvV5kKjZ73 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2007 at 10:54:03PM +0400, Alexey Tourbin wrote: > =F7 =D0=C1=CB=C5=D4=C5 =C9=CD=C5=C5=D4=D3=D1 =D7=D3=C5=C7=CF =CF=C4=C9=CE= =D3=CB=D2=C9=D0=D4 =D7=C9=C4=C1 > #!/bin/sh > /usr/bin/* >=20 > =FB=C5=CC=CC-=C1=CE=C1=CC=C9=DA=C1=D4=CF=D2 =D3=DE=C9=D4=C1=C5=D4 "/usr/b= in/*" =CB=CF=CD=C1=CE=C4=CF=CA (=CE=C5 =CF=D4=D3=C5=C9=D7=C1=C5=D4 =C7=CC= =CF=C2): >=20 > $ sh --rpm-requires -c '/usr/bin/*' > executable(/usr/bin/*) > $ >=20 > =F7 =D4=C1=CB=CF=CD =D7=C9=C4=C5 =DC=D4=CF =D0=CF=D3=D4=D5=D0=C1=C5=D4 = =CE=C1 =D7=C8=CF=C4 =D7 shell.req. =E9=DA-=DA=C1 =D4=CF=C7=CF, =DE=D4=CF = =D3=D4=C1=D2=D9=CA > (=D4=C5=CB=D5=DD=C9=CA) shell.req =CE=C5 =D2=C1=C2=CF=D4=C1=C5=D4 =D7 =D2= =C5=D6=C9=CD=C5 -f, =D4=CF =D4=C1=CD =D0=D2=C9 =CF=D0=D2=C5=C4=C5=CC=C5=CE= =CE=CF=CA > =D0=CF=D0=D9=D4=CB=C5 =D2=C1=DA=C2=C9=D4=D8 =D7=D3=C5 =D0=CF=CC=D5=DE=C5= =CE=CE=D9=C5 =C9=DA --rpm-requires =DA=C1=D7=C9=D3=C9=CD=CF=D3=D4=C9 =CE=C1= =D3=CC=CF=D7=C1 > =D7=D9=D0=CF=CC=CE=D1=C5=D4=D3=D1 =D2=C5=C1=CC=D8=CE=D9=CA =DB=C5=CC=CC-= =C7=CC=CF=C2: >=20 > # Find requires > found=3D"$(FindReqs $reqs)" >=20 > =FA=C4=C5=D3=D8 $reqs =CE=C5 =D4=CF=CC=D8=CB=CF =D2=C1=DA=C2=C9=D7=C1=C5= =D4=D3=D1 =CE=C1 =D3=CC=CF=D7=C1, =CE=CF =C9 =D7=D9=D0=CF=CC=CE=D1=C5=D4=D3= =D1 =C7=CC=CF=C2, > =D4=CF =C5=D3=D4=D8 /usr/bin/* =D3=D2=C5=C4=C9 $reqs =C6=C1=CB=D4=C9=DE= =C5=D3=CB=C9 =D2=C1=D3=CB=D2=D9=D7=C1=C5=D4=D3=D1 =D7=CF =D7=D3=C5-=D7=D3=C5 > =C6=C1=CA=CC=D9 =D7 /usr/bin. =F0=CF=D3=CC=C5 =DC=D4=CF=C7=CF =DA=C1=D0= =D5=D3=CB=C1=C5=D4=D3=D1 =D0=CF=C9=D3=CB =DA=C1=D7=C9=D3=C9=CD=CF=D3=D4=C5= =CA =CE=C1 =D7=D3=C5-=D7=D3=C5 > =C6=C1=CA=CC=D9 =D7 /usr/bin. >=20 > =EE=CF=D7=D9=CA (=CD=CF=CA not yet) shell.req =D2=C1=C2=CF=D4=C1=C5=D4 = =D7 =D2=C5=D6=C9=CD=C5 -f, =D0=CF=DC=D4=CF=CD=D5 =D0=CF=D1=D7=CC=D1=C5=D4= =D3=D1 > =CE=C5=D5=C4=CF=D7=CC=C5=D4=D7=CF=D2=C5=CE=CE=C1=D1 =DA=C1=D7=C9=D3=C9=CD= =CF=D3=D4=D8 =CE=C1 /usr/bin/* (sic!). Update of /people/at/packages/rpm.git Changes statistics since common ancestor `4.0.4-alt77-70-g9196764' follows: scripts/find-package.in | 12 +++++++++--- scripts/shell.req.in | 3 --- 2 files changed, 9 insertions(+), 6 deletions(-) Changelog since common ancestor `4.0.4-alt77-70-g9196764' follows: commit 2b1c36538fafa3b9daea6334a304b963995ef9fd Author: Alexey Tourbin Date: Mon Sep 10 13:26:52 2007 +0400 find-package: implemented protection against shell metacharacters and e= vil paths =20 There are two possibilities for protection: 1) we should protect at least from very evil shell metacharacters, like [$*], and also from [:cntrl:] (e.g. newline). 2) we can provide an exhaustive list of characters that are valid for non-evil pathnames and commands, and issue mandatory warning if the command or path appears to be evil. =20 I chose the latter approach. Valid character range is 'A-Za-z0-9/@=3D.,:_+-'. =20 Note that (almost) all files from our base build system are valid paths: =20 $ valid=3D'A-Za-z0-9/@=3D.,:_+-' $ hsh-run -- rpm -qal |grep "[^$valid]" /usr/bin/[ /usr/share/man/man1/[.1.bz2 (contains no files) (contains no files) $ =20 Later we'll see if the range of valid characters needs to be extended. Full diff since common ancestor `4.0.4-alt77-70-g9196764' follows: diff --git a/scripts/find-package.in b/scripts/find-package.in index 3971d48..eb0333a 100755 --- a/scripts/find-package.in +++ b/scripts/find-package.in @@ -272,15 +272,21 @@ FindPackage() local f=3D"$1" r; shift || return for r; do local Verbose=3DVerbose + # Only these characters are allowed for pathnames or commands: + valid=3D'A-Za-z0-9/@=3D.,:_+-' case "$r" in + /*[!"$valid"]*) + Info "$f: invalid pathname: $r" ;; /*) FindByPath "$f" "$r" ;; */*) - Info "$f: invalid pathname $r" ;; + Info "$f: invalid pathname: $r" ;; -*) - Info "$f: invalid command $r" ;; + Info "$f: invalid command: $r" ;; + *[!"$valid"]*) + Info "$f: invalid command: $r" ;; '') - ;; + Verbose "$f: empty command?" *) FindByName "$f" "$r" ;; esac diff --git a/scripts/shell.req.in b/scripts/shell.req.in index 5cb790b..28611b5 100755 --- a/scripts/shell.req.in +++ b/scripts/shell.req.in @@ -61,9 +61,6 @@ ShellReq() dname=3D${f#${RPM_BUILD_ROOT-}} dname=3D${dname%/*} for r in $reqs; do - if [ -z "${r/*\$*}" ]; then - continue - fi case "$(type -t -- "$r")" in alias|keyword|function|builtin) continue ;; --HIPflPGvV5kKjZ73 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG5Q+9fBKgtDjnu0YRAteeAJ4qAo1oIDcRf7mhk0ee8rXqWkSwSACgiPCR GTrVb2R/CHPeYzibu59hX6E= =NaBu -----END PGP SIGNATURE----- --HIPflPGvV5kKjZ73--