FreeBSD src
Go to file
Jilles Tjoelker d358fa780b wordexp: Rewrite to make WRDE_NOCMD reliable.
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.

While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.

The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
    "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);

The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().

The new we_check() is an optimistic check that all the characters
  <newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.

Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.

Reviewed by:	wblock (man page only)
MFC after:	2 weeks
Relnotes:	yes
Security:	fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
bin wordexp: Rewrite to make WRDE_NOCMD reliable. 2015-09-30 21:32:29 +00:00
cddl Have lockstat(1) trace locks by name rather than by address. 2015-09-30 05:46:56 +00:00
contrib Annotate arm userspace assembler sources stating their tolerance to 2015-09-29 16:09:58 +00:00
crypto Fix OpenSSH multiple vulnerabilities by backporting three changes 2015-08-25 20:48:37 +00:00
etc When stopping ugidfw, it is not enough to just try unloading the module. If 2015-09-29 18:51:56 +00:00
games Correctly case FreeBSD in my entry in the tips file 2015-09-08 22:51:10 +00:00
gnu Replace most of the beforeinstall: hack with FILES mechanism. 2015-09-30 20:47:27 +00:00
include META_MODE: Avoid command changing in 2nd build. 2015-09-18 21:36:29 +00:00
kerberos5 Add more SUBDIR_PARALLEL. 2015-09-26 14:13:51 +00:00
lib wordexp: Rewrite to make WRDE_NOCMD reliable. 2015-09-30 21:32:29 +00:00
libexec Annotate arm userspace assembler sources stating their tolerance to 2015-09-29 16:09:58 +00:00
release Initial attempt to add support for building images for 2015-09-30 16:31:21 +00:00
rescue META_MODE: Remove DEP_MACHINE from Makefile.depend files. 2015-09-25 19:44:01 +00:00
sbin Replace N #defines with nitems to simplify ifconfig code slightly 2015-09-27 07:51:18 +00:00
secure Replace afterinstall: hack from r111083 with 'make delete-old' functionality. 2015-09-19 03:46:10 +00:00
share META_MODE: Remove unneeded groff/tmac special GENDIRDEPS_FILTER. 2015-09-30 20:40:51 +00:00
sys Use proper STAILQ_* macros where possible. 2015-09-30 20:38:35 +00:00
targets remove unused sgsmsg utility (originally imported from opensolaris) 2015-09-28 12:38:57 +00:00
tests Use _exit() instead of exit() in child processes created during tests. 2015-09-09 22:54:07 +00:00
tools remove unused sgsmsg utility (originally imported from opensolaris) 2015-09-28 12:38:57 +00:00
usr.bin Several changes to truss. 2015-09-30 19:13:32 +00:00
usr.sbin The Sun RPC framework uses a netbuf structure to represent the 2015-09-29 18:05:54 +00:00
.arcconfig Add repository.callsign, to help arcanist figure out what repo it's 2015-07-02 22:23:52 +00:00
.arclint phabricator related changes: 2015-04-20 20:33:22 +00:00
COPYRIGHT Bump copyright year. 2014-12-31 10:00:43 +00:00
LOCKS Explicitly require Security Officer's approval for kernel PRNG bits. 2013-09-17 14:19:05 +00:00
MAINTAINERS Remove cokane@ from MAINTAINERS for 3dfx(4)/tdfx(4) because their email 2014-11-25 05:25:12 +00:00
Makefile Fix the .MAKE added in r251750 to properly support the historical -n -n. 2015-09-29 18:57:30 +00:00
Makefile.inc1 remove unused sgsmsg utility (originally imported from opensolaris) 2015-09-28 12:38:57 +00:00
ObsoleteFiles.inc remove unused sgsmsg utility (originally imported from opensolaris) 2015-09-28 12:38:57 +00:00
README README: changes and fixups 2015-04-19 07:16:44 +00:00
UPDATING Correct UPDATING entry date 2015-09-24 16:56:44 +00:00

This is the top level of the FreeBSD source directory.  This file
was last revised on:
$FreeBSD$

For copyright information, please see the file COPYRIGHT in this
directory (additional copyright information also exists for some
sources in this tree - please see the specific source directories for
more information).

The Makefile in this directory supports a number of targets for
building components (or all) of the FreeBSD source tree.  See build(7)
and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html
for more information, including setting make(1) variables.

The `buildkernel` and `installkernel` targets build and install
the kernel and the modules (see below).  Please see the top of
the Makefile in this directory for more information on the
standard build targets and compile-time flags.

Building a kernel is a somewhat more involved process.  See build(7), config(8),
and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html
for more information.

Note: If you want to build and install the kernel with the
`buildkernel` and `installkernel` targets, you might need to build
world before.  More information is available in the handbook.

The kernel configuration files reside in the sys/<arch>/conf
sub-directory.  GENERIC is the default configuration used in release builds.
NOTES contains entries and documentation for all possible
devices, not just those commonly used.


Source Roadmap:
---------------

bin		System/user commands.

cddl		Various commands and libraries under the Common Development
		and Distribution License.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

games		Amusements.

gnu		Various commands and libraries under the GNU Public License.
		Please see gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

rescue		Build system for statically linked /rescue utilities.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

sys		Kernel sources.

tests		Regression tests which can be run by Kyua.  See tests/README
		for additional information.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.


For information on synchronizing your source tree with one or more of
the FreeBSD Project's development branches, please see:

  http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html