d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6992112349
freebsd-dev/lib/libc/gen/wordexp.c

411 lines
10 KiB
C
Raw Normal View History

Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
/*-
* Copyright (c) 2002 Tim J. Robbins.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "namespace.h"
#include <sys/cdefs.h>
#include <sys/types.h>
#include <sys/wait.h>
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
#include <errno.h>
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
#include <fcntl.h>
#include <paths.h>
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
#include <signal.h>
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
#include <stdbool.h>
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <wordexp.h>
#include "un-namespace.h"
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc. Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking. The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well. The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is. Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
2015-08-29 14:25:01 +00:00
#include "libc_private.h"
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
__FBSDID("$FreeBSD$");
static int we_askshell(const char *, wordexp_t *, int);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
static int we_check(const char *);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
/*
* wordexp --
* Perform shell word expansion on `words' and place the resulting list
* of words in `we'. See wordexp(3).
*
* Specified by IEEE Std. 1003.1-2001.
*/
int
wordexp(const char * __restrict words, wordexp_t * __restrict we, int flags)
{
int error;
if (flags & WRDE_REUSE)
wordfree(we);
if ((flags & WRDE_APPEND) == 0) {
we->we_wordc = 0;
we->we_wordv = NULL;
we->we_strings = NULL;
we->we_nbytes = 0;
}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if ((error = we_check(words)) != 0) {
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
wordfree(we);
return (error);
}
if ((error = we_askshell(words, we, flags)) != 0) {
wordfree(we);
return (error);
}
return (0);
}
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
static size_t
we_read_fully(int fd, char *buffer, size_t len)
{
size_t done;
ssize_t nread;
done = 0;
do {
nread = _read(fd, buffer + done, len - done);
if (nread == -1 && errno == EINTR)
continue;
if (nread <= 0)
break;
done += nread;
} while (done != len);
return done;
}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
static bool
we_write_fully(int fd, const char *buffer, size_t len)
{
size_t done;
ssize_t nwritten;
done = 0;
do {
nwritten = _write(fd, buffer + done, len - done);
if (nwritten == -1 && errno == EINTR)
continue;
if (nwritten <= 0)
return (false);
done += nwritten;
} while (done != len);
return (true);
}
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
/*
* we_askshell --
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
* Use the `freebsd_wordexp' /bin/sh builtin function to do most of the
* work in expanding the word string. This function is complicated by
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
* memory management.
*/
static int
we_askshell(const char *words, wordexp_t *we, int flags)
{
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
int pdesw[2]; /* Pipe for writing words */
int pdes[2]; /* Pipe for reading output */
char wfdstr[sizeof(int) * 3 + 1];
char buf[35]; /* Buffer for byte and word count */
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
long nwords, nbytes; /* Number of words, bytes from child */
long i; /* Handy integer */
size_t sofs; /* Offset into we->we_strings */
size_t vofs; /* Offset into we->we_wordv */
pid_t pid; /* Process ID of child */
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
pid_t wpid; /* waitpid return value */
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
int status; /* Child exit status */
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
int error; /* Our return value */
int serrno; /* errno to return */
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
char *np, *p; /* Handy pointers */
char *nstrings; /* Temporary for realloc() */
char **nwv; /* Temporary for realloc() */
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
sigset_t newsigblock, oldsigblock;
wordexp: Explicitly pass along IFS. Per Austin group issue #884, sh should not import IFS from the environment but always set it to $' \t\n'. For wordexp(), however, it is documented and useful for it to use IFS from the environment. Since sh currently imports IFS from the environment, this change has no functional effect. MFC after: 1 week
2015-03-31 20:51:01 +00:00
const char *ifs;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
serrno = errno;
wordexp: Explicitly pass along IFS. Per Austin group issue #884, sh should not import IFS from the environment but always set it to $' \t\n'. For wordexp(), however, it is documented and useful for it to use IFS from the environment. Since sh currently imports IFS from the environment, this change has no functional effect. MFC after: 1 week
2015-03-31 20:51:01 +00:00
ifs = getenv("IFS");
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (pipe2(pdesw, O_CLOEXEC) < 0)
return (WRDE_NOSPACE); /* XXX */
snprintf(wfdstr, sizeof(wfdstr), "%d", pdesw[0]);
if (pipe2(pdes, O_CLOEXEC) < 0) {
_close(pdesw[0]);
_close(pdesw[1]);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
return (WRDE_NOSPACE); /* XXX */
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
}
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
(void)sigemptyset(&newsigblock);
(void)sigaddset(&newsigblock, SIGCHLD);
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc. Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking. The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well. The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is. Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
2015-08-29 14:25:01 +00:00
(void)__libc_sigprocmask(SIG_BLOCK, &newsigblock, &oldsigblock);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
if ((pid = fork()) < 0) {
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
serrno = errno;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
_close(pdesw[0]);
_close(pdesw[1]);
Use hidden names (_close, _dup2, _waitpid, etc.) where appropriate.
2003-01-07 06:07:56 +00:00
_close(pdes[0]);
_close(pdes[1]);
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc. Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking. The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well. The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is. Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
2015-08-29 14:25:01 +00:00
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
errno = serrno;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
return (WRDE_NOSPACE); /* XXX */
}
else if (pid == 0) {
/*
wordexp(): Stop using the undocumented wordexp builtin. The functionality of the wordexp builtin is easily replaced using normal shell code, although performance is slightly worse. This does not mean that wordexp() will remain shell-independent -- a fully reliable implementation of WRDE_NOCMD is really only possible using extensions to the shell, or by adding much of the shell's code to libc.
2015-08-16 19:42:15 +00:00
* We are the child; make /bin/sh expand `words'.
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
*/
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc. Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking. The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well. The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is. Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
2015-08-29 14:25:01 +00:00
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
wordexp(): Avoid leaking the pipe file descriptors to a parallel fork/exec. This uses the new pipe2() system call added on May 1 (r250159).
2013-08-27 21:47:01 +00:00
if ((pdes[1] != STDOUT_FILENO ?
_dup2(pdes[1], STDOUT_FILENO) :
_fcntl(pdes[1], F_SETFD, 0)) < 0)
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
_exit(1);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (_fcntl(pdesw[0], F_SETFD, 0) < 0)
_exit(1);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
execl(_PATH_BSHELL, "sh", flags & WRDE_UNDEF ? "-u" : "+u",
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
"-c", "IFS=$1;eval \"$2\";"
"freebsd_wordexp -f \"$3\" ${4:+\"$4\"}",
wordexp(): Stop using the undocumented wordexp builtin. The functionality of the wordexp builtin is easily replaced using normal shell code, although performance is slightly worse. This does not mean that wordexp() will remain shell-independent -- a fully reliable implementation of WRDE_NOCMD is really only possible using extensions to the shell, or by adding much of the shell's code to libc.
2015-08-16 19:42:15 +00:00
"",
wordexp: Explicitly pass along IFS. Per Austin group issue #884, sh should not import IFS from the environment but always set it to $' \t\n'. For wordexp(), however, it is documented and useful for it to use IFS from the environment. Since sh currently imports IFS from the environment, this change has no functional effect. MFC after: 1 week
2015-03-31 20:51:01 +00:00
ifs != NULL ? ifs : " \t\n",
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
flags & WRDE_SHOWERR ? "" : "exec 2>/dev/null",
wfdstr,
flags & WRDE_NOCMD ? "-p" : "",
wordexp(): Simplify code by deferring work to sh.
2013-05-09 11:43:45 +00:00
(char *)NULL);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
_exit(1);
}
/*
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
* We are the parent; write the words.
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
*/
Use hidden names (_close, _dup2, _waitpid, etc.) where appropriate.
2003-01-07 06:07:56 +00:00
_close(pdes[1]);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
_close(pdesw[0]);
if (!we_write_fully(pdesw[1], words, strlen(words))) {
_close(pdesw[1]);
error = WRDE_SYNTAX;
goto cleanup;
}
_close(pdesw[1]);
/*
* Read the output of the shell wordexp function,
* which is a byte indicating that the words were parsed successfully,
* a 64-bit hexadecimal word count, a dummy byte, a 64-bit hexadecimal
* byte count (not including terminating null bytes), followed by the
* expanded words separated by nulls.
*/
switch (we_read_fully(pdes[0], buf, 34)) {
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
case 1:
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
error = buf[0] == 'C' ? WRDE_CMDSUB : WRDE_BADVAL;
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
serrno = errno;
goto cleanup;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
case 34:
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
break;
default:
error = WRDE_SYNTAX;
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
serrno = errno;
goto cleanup;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
}
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
buf[17] = '\0';
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
nwords = strtol(buf + 1, NULL, 16);
buf[34] = '\0';
nbytes = strtol(buf + 18, NULL, 16) + nwords;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
/*
* Allocate or reallocate (when flags & WRDE_APPEND) the word vector
* and string storage buffers for the expanded words we're about to
* read from the child.
*/
sofs = we->we_nbytes;
vofs = we->we_wordc;
Fix typo: WRDE_DOOFS -> WRDE_DOOFFS. Noticed by: Stoned Elipot
2004-06-30 13:55:08 +00:00
if ((flags & (WRDE_DOOFFS|WRDE_APPEND)) == (WRDE_DOOFFS|WRDE_APPEND))
Fix a number of bugs noticed by more extensive testing: o Call waitpid() if an error occurs after forking the child process to avoid leaving zombies around. o Handle the WRDE_DOOFS|WRDE_APPEND combination correctly o Do not confuse $( substitution with $(( shell arithmetic (noticed by wollman) o Handle backslash escaping properly o Allow $( and ${ to be quoted
2003-01-04 06:07:44 +00:00
vofs += we->we_offs;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
we->we_wordc += nwords;
we->we_nbytes += nbytes;
libc: provide some bounds-checking through reallocarray(3). reallocarray(3) is a non portable extension that originated in OpenBSD. Given that it is already in FreeBSD's libc it is useful for the cases where reallocation involves a multiplication. MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D9955
2017-03-12 16:03:34 +00:00
if ((nwv = reallocarray(we->we_wordv, (we->we_wordc + 1 +
(flags & WRDE_DOOFFS ? we->we_offs : 0)),
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
sizeof(char *))) == NULL) {
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
error = WRDE_NOSPACE;
goto cleanup;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
}
we->we_wordv = nwv;
if ((nstrings = realloc(we->we_strings, we->we_nbytes)) == NULL) {
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
error = WRDE_NOSPACE;
goto cleanup;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
}
for (i = 0; i < vofs; i++)
if (we->we_wordv[i] != NULL)
we->we_wordv[i] += nstrings - we->we_strings;
we->we_strings = nstrings;
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
if (we_read_fully(pdes[0], we->we_strings + sofs, nbytes) != nbytes) {
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
error = WRDE_NOSPACE; /* abort for unknown reason */
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
serrno = errno;
goto cleanup;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
}
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
error = 0;
cleanup:
Use hidden names (_close, _dup2, _waitpid, etc.) where appropriate.
2003-01-07 06:07:56 +00:00
_close(pdes[0]);
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
do
wpid = _waitpid(pid, &status, 0);
while (wpid < 0 && errno == EINTR);
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc. Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking. The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well. The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is. Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
2015-08-29 14:25:01 +00:00
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
wordexp(3): fix some bugs with signals and long outputs * retry various system calls on EINTR * retry the rest after a short read (common if there is more than about 1K of output) * block SIGCHLD like system(3) does (note that this does not and cannot work fully in threaded programs, they will need to be careful with wait functions) PR: 90580 MFC after: 1 month
2009-10-23 14:50:11 +00:00
if (error != 0) {
errno = serrno;
return (error);
}
if (wpid < 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
wordexp(): Improve some error codes. Distinguish between WRDE_BADVAL and WRDE_SYNTAX based on when the error occurred (parsing or execution), not based on whether WRDE_UNDEF was passed. Also, return WRDE_NOSPACE for a few more unexpected results from sh.
2015-08-19 20:31:03 +00:00
return (WRDE_NOSPACE); /* abort for unknown reason */
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
/*
* Break the null-terminated expanded word strings out into
* the vector.
*/
Fix typo: WRDE_DOOFS -> WRDE_DOOFFS. Noticed by: Stoned Elipot
2004-06-30 13:55:08 +00:00
if (vofs == 0 && flags & WRDE_DOOFFS)
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
while (vofs < we->we_offs)
we->we_wordv[vofs++] = NULL;
p = we->we_strings + sofs;
while (nwords-- != 0) {
we->we_wordv[vofs++] = p;
if ((np = memchr(p, '\0', nbytes)) == NULL)
return (WRDE_NOSPACE); /* XXX */
nbytes -= np - p + 1;
p = np + 1;
}
we->we_wordv[vofs] = NULL;
return (0);
}
/*
* we_check --
* Check that the string contains none of the following unquoted
* special characters: <newline> |&;<>(){}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
* This mainly serves for {} which are normally legal in sh.
* It deliberately does not attempt to model full sh syntax.
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
*/
Be more consistent with "static".
2002-12-27 01:01:03 +00:00
static int
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
we_check(const char *words)
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
{
char c;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
/* Saw \ or $, possibly not special: */
bool quote = false, dollar = false;
/* Saw ', ", ${, ` or $(, possibly not special: */
bool have_sq = false, have_dq = false, have_par_begin = false;
bool have_cmd = false;
/* Definitely saw a ', ", ${, ` or $(, need a closing character: */
bool need_sq = false, need_dq = false, need_par_end = false;
bool need_cmd_old = false, need_cmd_new = false;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
while ((c = *words++) != '\0') {
switch (c) {
case '\\':
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
quote = !quote;
continue;
case '$':
if (quote)
quote = false;
else
dollar = !dollar;
Fix a number of bugs noticed by more extensive testing: o Call waitpid() if an error occurs after forking the child process to avoid leaving zombies around. o Handle the WRDE_DOOFS|WRDE_APPEND combination correctly o Do not confuse $( substitution with $(( shell arithmetic (noticed by wollman) o Handle backslash escaping properly o Allow $( and ${ to be quoted
2003-01-04 06:07:44 +00:00
continue;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
case '\'':
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (!quote && !have_sq && !have_dq)
need_sq = true;
else
need_sq = false;
have_sq = true;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
break;
case '"':
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (!quote && !have_sq && !have_dq)
need_dq = true;
else
need_dq = false;
have_dq = true;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
break;
case '`':
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (!quote && !have_sq && !have_cmd)
need_cmd_old = true;
else
need_cmd_old = false;
have_cmd = true;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
break;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
case '{':
if (!quote && !dollar && !have_sq && !have_dq &&
!have_cmd)
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
return (WRDE_BADCHAR);
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (dollar) {
if (!quote && !have_sq)
need_par_end = true;
have_par_begin = true;
}
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
break;
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
case '}':
if (!quote && !have_sq && !have_dq && !have_par_begin &&
!have_cmd)
return (WRDE_BADCHAR);
need_par_end = false;
break;
case '(':
if (!quote && !dollar && !have_sq && !have_dq &&
!have_cmd)
return (WRDE_BADCHAR);
if (dollar) {
if (!quote && !have_sq)
need_cmd_new = true;
have_cmd = true;
}
break;
case ')':
if (!quote && !have_sq && !have_dq && !have_cmd)
return (WRDE_BADCHAR);
need_cmd_new = false;
break;
case '|': case '&': case ';': case '<': case '>': case '\n':
if (!quote && !have_sq && !have_dq && !have_cmd)
return (WRDE_BADCHAR);
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
break;
default:
break;
}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
quote = dollar = false;
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
}
wordexp: Rewrite to make WRDE_NOCMD reliable. Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
if (quote || dollar || need_sq || need_dq || need_par_end ||
need_cmd_old || need_cmd_new)
Add an implementation of the POSIX wordexp() and wordfree() functions, which perform shell-style word expansion on strings. This is still a little rough around the edges. PR: 13420
2002-12-26 14:34:18 +00:00
return (WRDE_SYNTAX);
return (0);
}
/*
* wordfree --
* Free the result of wordexp(). See wordexp(3).
*
* Specified by IEEE Std. 1003.1-2001.
*/
void
wordfree(wordexp_t *we)
{
if (we == NULL)
return;
free(we->we_wordv);
free(we->we_strings);
we->we_wordv = NULL;
we->we_strings = NULL;
we->we_nbytes = 0;
we->we_wordc = 0;
}
Reference in New Issue Copy Permalink