d358fa780b
Shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. Therefore, have sh do this detection. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. Although many implementations of WRDE_NOCMD erroneously allow some command substitutions (and ours even documented this), there appears to be code that relies on its security (codesearch.debian.net shows quite a few uses). Passing untrusted data to wordexp() still exposes a denial of service possibility and a fairly large attack surface. Reviewed by: wblock (man page only) MFC after: 2 weeks Relnotes: yes Security: fixes command execution with wordexp(untrusted, WRDE_NOCMD)
411 lines
10 KiB
C
411 lines
10 KiB
C
/*-
|
|
* Copyright (c) 2002 Tim J. Robbins.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "namespace.h"
|
|
#include <sys/cdefs.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <paths.h>
|
|
#include <signal.h>
|
|
#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <wordexp.h>
|
|
#include "un-namespace.h"
|
|
#include "libc_private.h"
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
static int we_askshell(const char *, wordexp_t *, int);
|
|
static int we_check(const char *);
|
|
|
|
/*
|
|
* wordexp --
|
|
* Perform shell word expansion on `words' and place the resulting list
|
|
* of words in `we'. See wordexp(3).
|
|
*
|
|
* Specified by IEEE Std. 1003.1-2001.
|
|
*/
|
|
int
|
|
wordexp(const char * __restrict words, wordexp_t * __restrict we, int flags)
|
|
{
|
|
int error;
|
|
|
|
if (flags & WRDE_REUSE)
|
|
wordfree(we);
|
|
if ((flags & WRDE_APPEND) == 0) {
|
|
we->we_wordc = 0;
|
|
we->we_wordv = NULL;
|
|
we->we_strings = NULL;
|
|
we->we_nbytes = 0;
|
|
}
|
|
if ((error = we_check(words)) != 0) {
|
|
wordfree(we);
|
|
return (error);
|
|
}
|
|
if ((error = we_askshell(words, we, flags)) != 0) {
|
|
wordfree(we);
|
|
return (error);
|
|
}
|
|
return (0);
|
|
}
|
|
|
|
static size_t
|
|
we_read_fully(int fd, char *buffer, size_t len)
|
|
{
|
|
size_t done;
|
|
ssize_t nread;
|
|
|
|
done = 0;
|
|
do {
|
|
nread = _read(fd, buffer + done, len - done);
|
|
if (nread == -1 && errno == EINTR)
|
|
continue;
|
|
if (nread <= 0)
|
|
break;
|
|
done += nread;
|
|
} while (done != len);
|
|
return done;
|
|
}
|
|
|
|
static bool
|
|
we_write_fully(int fd, const char *buffer, size_t len)
|
|
{
|
|
size_t done;
|
|
ssize_t nwritten;
|
|
|
|
done = 0;
|
|
do {
|
|
nwritten = _write(fd, buffer + done, len - done);
|
|
if (nwritten == -1 && errno == EINTR)
|
|
continue;
|
|
if (nwritten <= 0)
|
|
return (false);
|
|
done += nwritten;
|
|
} while (done != len);
|
|
return (true);
|
|
}
|
|
|
|
/*
|
|
* we_askshell --
|
|
* Use the `freebsd_wordexp' /bin/sh builtin function to do most of the
|
|
* work in expanding the word string. This function is complicated by
|
|
* memory management.
|
|
*/
|
|
static int
|
|
we_askshell(const char *words, wordexp_t *we, int flags)
|
|
{
|
|
int pdesw[2]; /* Pipe for writing words */
|
|
int pdes[2]; /* Pipe for reading output */
|
|
char wfdstr[sizeof(int) * 3 + 1];
|
|
char buf[35]; /* Buffer for byte and word count */
|
|
long nwords, nbytes; /* Number of words, bytes from child */
|
|
long i; /* Handy integer */
|
|
size_t sofs; /* Offset into we->we_strings */
|
|
size_t vofs; /* Offset into we->we_wordv */
|
|
pid_t pid; /* Process ID of child */
|
|
pid_t wpid; /* waitpid return value */
|
|
int status; /* Child exit status */
|
|
int error; /* Our return value */
|
|
int serrno; /* errno to return */
|
|
char *np, *p; /* Handy pointers */
|
|
char *nstrings; /* Temporary for realloc() */
|
|
char **nwv; /* Temporary for realloc() */
|
|
sigset_t newsigblock, oldsigblock;
|
|
const char *ifs;
|
|
|
|
serrno = errno;
|
|
ifs = getenv("IFS");
|
|
|
|
if (pipe2(pdesw, O_CLOEXEC) < 0)
|
|
return (WRDE_NOSPACE); /* XXX */
|
|
snprintf(wfdstr, sizeof(wfdstr), "%d", pdesw[0]);
|
|
if (pipe2(pdes, O_CLOEXEC) < 0) {
|
|
_close(pdesw[0]);
|
|
_close(pdesw[1]);
|
|
return (WRDE_NOSPACE); /* XXX */
|
|
}
|
|
(void)sigemptyset(&newsigblock);
|
|
(void)sigaddset(&newsigblock, SIGCHLD);
|
|
(void)__libc_sigprocmask(SIG_BLOCK, &newsigblock, &oldsigblock);
|
|
if ((pid = fork()) < 0) {
|
|
serrno = errno;
|
|
_close(pdesw[0]);
|
|
_close(pdesw[1]);
|
|
_close(pdes[0]);
|
|
_close(pdes[1]);
|
|
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
|
|
errno = serrno;
|
|
return (WRDE_NOSPACE); /* XXX */
|
|
}
|
|
else if (pid == 0) {
|
|
/*
|
|
* We are the child; make /bin/sh expand `words'.
|
|
*/
|
|
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
|
|
if ((pdes[1] != STDOUT_FILENO ?
|
|
_dup2(pdes[1], STDOUT_FILENO) :
|
|
_fcntl(pdes[1], F_SETFD, 0)) < 0)
|
|
_exit(1);
|
|
if (_fcntl(pdesw[0], F_SETFD, 0) < 0)
|
|
_exit(1);
|
|
execl(_PATH_BSHELL, "sh", flags & WRDE_UNDEF ? "-u" : "+u",
|
|
"-c", "IFS=$1;eval \"$2\";"
|
|
"freebsd_wordexp -f \"$3\" ${4:+\"$4\"}",
|
|
"",
|
|
ifs != NULL ? ifs : " \t\n",
|
|
flags & WRDE_SHOWERR ? "" : "exec 2>/dev/null",
|
|
wfdstr,
|
|
flags & WRDE_NOCMD ? "-p" : "",
|
|
(char *)NULL);
|
|
_exit(1);
|
|
}
|
|
|
|
/*
|
|
* We are the parent; write the words.
|
|
*/
|
|
_close(pdes[1]);
|
|
_close(pdesw[0]);
|
|
if (!we_write_fully(pdesw[1], words, strlen(words))) {
|
|
_close(pdesw[1]);
|
|
error = WRDE_SYNTAX;
|
|
goto cleanup;
|
|
}
|
|
_close(pdesw[1]);
|
|
/*
|
|
* Read the output of the shell wordexp function,
|
|
* which is a byte indicating that the words were parsed successfully,
|
|
* a 64-bit hexadecimal word count, a dummy byte, a 64-bit hexadecimal
|
|
* byte count (not including terminating null bytes), followed by the
|
|
* expanded words separated by nulls.
|
|
*/
|
|
switch (we_read_fully(pdes[0], buf, 34)) {
|
|
case 1:
|
|
error = buf[0] == 'C' ? WRDE_CMDSUB : WRDE_BADVAL;
|
|
serrno = errno;
|
|
goto cleanup;
|
|
case 34:
|
|
break;
|
|
default:
|
|
error = WRDE_SYNTAX;
|
|
serrno = errno;
|
|
goto cleanup;
|
|
}
|
|
buf[17] = '\0';
|
|
nwords = strtol(buf + 1, NULL, 16);
|
|
buf[34] = '\0';
|
|
nbytes = strtol(buf + 18, NULL, 16) + nwords;
|
|
|
|
/*
|
|
* Allocate or reallocate (when flags & WRDE_APPEND) the word vector
|
|
* and string storage buffers for the expanded words we're about to
|
|
* read from the child.
|
|
*/
|
|
sofs = we->we_nbytes;
|
|
vofs = we->we_wordc;
|
|
if ((flags & (WRDE_DOOFFS|WRDE_APPEND)) == (WRDE_DOOFFS|WRDE_APPEND))
|
|
vofs += we->we_offs;
|
|
we->we_wordc += nwords;
|
|
we->we_nbytes += nbytes;
|
|
if ((nwv = realloc(we->we_wordv, (we->we_wordc + 1 +
|
|
(flags & WRDE_DOOFFS ? we->we_offs : 0)) *
|
|
sizeof(char *))) == NULL) {
|
|
error = WRDE_NOSPACE;
|
|
goto cleanup;
|
|
}
|
|
we->we_wordv = nwv;
|
|
if ((nstrings = realloc(we->we_strings, we->we_nbytes)) == NULL) {
|
|
error = WRDE_NOSPACE;
|
|
goto cleanup;
|
|
}
|
|
for (i = 0; i < vofs; i++)
|
|
if (we->we_wordv[i] != NULL)
|
|
we->we_wordv[i] += nstrings - we->we_strings;
|
|
we->we_strings = nstrings;
|
|
|
|
if (we_read_fully(pdes[0], we->we_strings + sofs, nbytes) != nbytes) {
|
|
error = WRDE_NOSPACE; /* abort for unknown reason */
|
|
serrno = errno;
|
|
goto cleanup;
|
|
}
|
|
|
|
error = 0;
|
|
cleanup:
|
|
_close(pdes[0]);
|
|
do
|
|
wpid = _waitpid(pid, &status, 0);
|
|
while (wpid < 0 && errno == EINTR);
|
|
(void)__libc_sigprocmask(SIG_SETMASK, &oldsigblock, NULL);
|
|
if (error != 0) {
|
|
errno = serrno;
|
|
return (error);
|
|
}
|
|
if (wpid < 0 || !WIFEXITED(status) || WEXITSTATUS(status) != 0)
|
|
return (WRDE_NOSPACE); /* abort for unknown reason */
|
|
|
|
/*
|
|
* Break the null-terminated expanded word strings out into
|
|
* the vector.
|
|
*/
|
|
if (vofs == 0 && flags & WRDE_DOOFFS)
|
|
while (vofs < we->we_offs)
|
|
we->we_wordv[vofs++] = NULL;
|
|
p = we->we_strings + sofs;
|
|
while (nwords-- != 0) {
|
|
we->we_wordv[vofs++] = p;
|
|
if ((np = memchr(p, '\0', nbytes)) == NULL)
|
|
return (WRDE_NOSPACE); /* XXX */
|
|
nbytes -= np - p + 1;
|
|
p = np + 1;
|
|
}
|
|
we->we_wordv[vofs] = NULL;
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* we_check --
|
|
* Check that the string contains none of the following unquoted
|
|
* special characters: <newline> |&;<>(){}
|
|
* This mainly serves for {} which are normally legal in sh.
|
|
* It deliberately does not attempt to model full sh syntax.
|
|
*/
|
|
static int
|
|
we_check(const char *words)
|
|
{
|
|
char c;
|
|
/* Saw \ or $, possibly not special: */
|
|
bool quote = false, dollar = false;
|
|
/* Saw ', ", ${, ` or $(, possibly not special: */
|
|
bool have_sq = false, have_dq = false, have_par_begin = false;
|
|
bool have_cmd = false;
|
|
/* Definitely saw a ', ", ${, ` or $(, need a closing character: */
|
|
bool need_sq = false, need_dq = false, need_par_end = false;
|
|
bool need_cmd_old = false, need_cmd_new = false;
|
|
|
|
while ((c = *words++) != '\0') {
|
|
switch (c) {
|
|
case '\\':
|
|
quote = !quote;
|
|
continue;
|
|
case '$':
|
|
if (quote)
|
|
quote = false;
|
|
else
|
|
dollar = !dollar;
|
|
continue;
|
|
case '\'':
|
|
if (!quote && !have_sq && !have_dq)
|
|
need_sq = true;
|
|
else
|
|
need_sq = false;
|
|
have_sq = true;
|
|
break;
|
|
case '"':
|
|
if (!quote && !have_sq && !have_dq)
|
|
need_dq = true;
|
|
else
|
|
need_dq = false;
|
|
have_dq = true;
|
|
break;
|
|
case '`':
|
|
if (!quote && !have_sq && !have_cmd)
|
|
need_cmd_old = true;
|
|
else
|
|
need_cmd_old = false;
|
|
have_cmd = true;
|
|
break;
|
|
case '{':
|
|
if (!quote && !dollar && !have_sq && !have_dq &&
|
|
!have_cmd)
|
|
return (WRDE_BADCHAR);
|
|
if (dollar) {
|
|
if (!quote && !have_sq)
|
|
need_par_end = true;
|
|
have_par_begin = true;
|
|
}
|
|
break;
|
|
case '}':
|
|
if (!quote && !have_sq && !have_dq && !have_par_begin &&
|
|
!have_cmd)
|
|
return (WRDE_BADCHAR);
|
|
need_par_end = false;
|
|
break;
|
|
case '(':
|
|
if (!quote && !dollar && !have_sq && !have_dq &&
|
|
!have_cmd)
|
|
return (WRDE_BADCHAR);
|
|
if (dollar) {
|
|
if (!quote && !have_sq)
|
|
need_cmd_new = true;
|
|
have_cmd = true;
|
|
}
|
|
break;
|
|
case ')':
|
|
if (!quote && !have_sq && !have_dq && !have_cmd)
|
|
return (WRDE_BADCHAR);
|
|
need_cmd_new = false;
|
|
break;
|
|
case '|': case '&': case ';': case '<': case '>': case '\n':
|
|
if (!quote && !have_sq && !have_dq && !have_cmd)
|
|
return (WRDE_BADCHAR);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
quote = dollar = false;
|
|
}
|
|
if (quote || dollar || need_sq || need_dq || need_par_end ||
|
|
need_cmd_old || need_cmd_new)
|
|
return (WRDE_SYNTAX);
|
|
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* wordfree --
|
|
* Free the result of wordexp(). See wordexp(3).
|
|
*
|
|
* Specified by IEEE Std. 1003.1-2001.
|
|
*/
|
|
void
|
|
wordfree(wordexp_t *we)
|
|
{
|
|
|
|
if (we == NULL)
|
|
return;
|
|
free(we->we_wordv);
|
|
free(we->we_strings);
|
|
we->we_wordv = NULL;
|
|
we->we_strings = NULL;
|
|
we->we_nbytes = 0;
|
|
we->we_wordc = 0;
|
|
}
|