From 14872ca4ac094205519dcbadde9b7f1ff28eda9a Mon Sep 17 00:00:00 2001

From: Jakub Filak <jfilak@redhat.com>

Date: Thu, 23 Apr 2015 13:30:15 +0200

Subject: [PATCH] dd: harden functions against directory traversal issues

Test correctness of all accessed dump dir files in all dd* functions.

Before this commit, the callers were allowed to pass strings like

"../../etc/shadow" in the filename argument of all dd* functions.

Related: #1214457

Signed-off-by: Jakub Filak <jfilak@redhat.com>

---

 src/lib/create_dump_dir.c | 15 ++++++++++-----

 src/lib/dump_dir.c        | 30 ++++++++++++++++++++++++++++++

 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/src/lib/create_dump_dir.c b/src/lib/create_dump_dir.c

index 6aee370..d2cdd29 100644

--- a/src/lib/create_dump_dir.c

+++ b/src/lib/create_dump_dir.c

@@ -107,16 +107,15 @@ int save_problem_data_in_dump_dir(struct dump_dir *dd, problem_data_t *problem_d

     g_hash_table_iter_init(&iter, problem_data);

     while (g_hash_table_iter_next(&iter, (void**)&name, (void**)&value))

     {

-        if (value->flags & CD_FLAG_BIN)

+        if (!str_is_correct_filename(name))

         {

-            dd_copy_file(dd, name, value->content);

+            error_msg("Problem data field name contains disallowed chars: '%s'", name);

             continue;

         }

-        /* only files should contain '/' and those are handled earlier */

-        if (name[0] == '.' || strchr(name, '/'))

+        if (value->flags & CD_FLAG_BIN)

         {

-            error_msg("Problem data field name contains disallowed chars: '%s'", name);

+            dd_copy_file(dd, name, value->content);

             continue;

         }

@@ -138,6 +137,12 @@ struct dump_dir *create_dump_dir_from_problem_data(problem_data_t *problem_data,

         return NULL;

     }

+    if (!str_is_correct_filename(type))

+    {

+        error_msg(_("'%s' is not correct file name"), FILENAME_TYPE);

+        return NULL;

+    }

+

     uid_t uid = (uid_t)-1L;

     char *uid_str = problem_data_get_content_or_NULL(problem_data, FILENAME_UID);

diff --git a/src/lib/dump_dir.c b/src/lib/dump_dir.c

index 25a8aeb..017a9c1 100644

--- a/src/lib/dump_dir.c

+++ b/src/lib/dump_dir.c

@@ -357,6 +357,9 @@ static inline struct dump_dir *dd_init(void)

 int dd_exist(const struct dump_dir *dd, const char *path)

 {

+    if (!str_is_correct_filename(path))

+        error_msg_and_die("Cannot test existence. '%s' is not a valid file name", path);

+

     char *full_path = concat_path_file(dd->dd_dirname, path);

     int ret = exist_file_dir(full_path);

     free(full_path);

@@ -1059,6 +1062,15 @@ char* dd_load_text_ext(const struct dump_dir *dd, const char *name, unsigned fla

 //    if (!dd->locked)

 //        error_msg_and_die("dump_dir is not opened"); /* bug */

+    if (!str_is_correct_filename(name))

+    {

+        error_msg("Cannot load text. '%s' is not a valid file name", name);

+        if ((flags & DD_LOAD_TEXT_RETURN_NULL_ON_FAILURE))

+            return NULL;

+

+        xfunc_die();

+    }

+

     /* Compat with old abrt dumps. Remove in abrt-2.1 */

     if (strcmp(name, "release") == 0)

         name = FILENAME_OS_RELEASE;

@@ -1080,6 +1092,9 @@ void dd_save_text(struct dump_dir *dd, const char *name, const char *data)

     if (!dd->locked)

         error_msg_and_die("dump_dir is not opened"); /* bug */

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot save text. '%s' is not a valid file name", name);

+

     char *full_path = concat_path_file(dd->dd_dirname, name);

     save_binary_file(full_path, data, strlen(data), dd->dd_uid, dd->dd_gid, dd->mode);

     free(full_path);

@@ -1090,6 +1105,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns

     if (!dd->locked)

         error_msg_and_die("dump_dir is not opened"); /* bug */

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot save binary. '%s' is not a valid file name", name);

+

     char *full_path = concat_path_file(dd->dd_dirname, name);

     save_binary_file(full_path, data, size, dd->dd_uid, dd->dd_gid, dd->mode);

     free(full_path);

@@ -1097,6 +1115,9 @@ void dd_save_binary(struct dump_dir* dd, const char* name, const char* data, uns

 long dd_get_item_size(struct dump_dir *dd, const char *name)

 {

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot get item size. '%s' is not a valid file name", name);

+

     long size = -1;

     char *iname = concat_path_file(dd->dd_dirname, name);

     struct stat statbuf;

@@ -1121,6 +1142,9 @@ int dd_delete_item(struct dump_dir *dd, const char *name)

     if (!dd->locked)

         error_msg_and_die("dump_dir is not opened"); /* bug */

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot delete item. '%s' is not a valid file name", name);

+

     char *path = concat_path_file(dd->dd_dirname, name);

     int res = unlink(path);

@@ -1335,6 +1359,9 @@ int dd_mark_as_notreportable(struct dump_dir *dd, const char *reason)

 int dd_copy_file(struct dump_dir *dd, const char *name, const char *source_path)

 {

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot test existence. '%s' is not a valid file name", name);

+

     char *dest = concat_path_file(dd->dd_dirname, name);

     log_debug("copying '%s' to '%s'", source_path, dest);

@@ -1351,6 +1378,9 @@ int dd_copy_file(struct dump_dir *dd, const char *name, const char *source_path)

 int dd_copy_file_unpack(struct dump_dir *dd, const char *name, const char *source_path)

 {

+    if (!str_is_correct_filename(name))

+        error_msg_and_die("Cannot test existence. '%s' is not a valid file name", name);

+

     char *dest = concat_path_file(dd->dd_dirname, name);

     log_debug("unpacking '%s' to '%s'", source_path, dest);

-- 

2.1.0