d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d358fa780b
freebsd-dev/lib
History
Jilles Tjoelker d358fa780b wordexp: Rewrite to make WRDE_NOCMD reliable. 
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.

While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.

The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
    "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);

The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().

The new we_check() is an optimistic check that all the characters
  <newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.

Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.

Reviewed by:	wblock (man page only)
MFC after:	2 weeks
Relnotes:	yes
Security:	fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
..
atf Add META_MODE support. 2015-06-13 19:20:56 +00:00
clang META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
csu Annotate arm userspace assembler sources stating their tolerance to 2015-09-29 16:09:58 +00:00
libalias Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libarchive MFV r285970: 2015-07-28 18:41:28 +00:00
libauditd Add META_MODE support. 2015-06-13 19:20:56 +00:00
libbegemot new depends 2015-06-16 23:37:19 +00:00
libblocksruntime META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libbluetooth Add META_MODE support. 2015-06-13 19:20:56 +00:00
libbsdstat
libbsm Add META_MODE support. 2015-06-13 19:20:56 +00:00
libbsnmp Add META_MODE support. 2015-06-13 19:20:56 +00:00
libbz2 Add META_MODE support. 2015-06-13 19:20:56 +00:00
libc wordexp: Rewrite to make WRDE_NOCMD reliable. 2015-09-30 21:32:29 +00:00
libc_nonshared Add META_MODE support. 2015-06-13 19:20:56 +00:00
libc++ Add META_MODE support. 2015-06-13 19:20:56 +00:00
libcalendar Add META_MODE support. 2015-06-13 19:20:56 +00:00
libcam Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libcapsicum Let the nv.h and dnv.h includes be only in sys directory. 2015-07-02 21:58:10 +00:00
libcasper Let the nv.h and dnv.h includes be only in sys directory. 2015-07-02 21:58:10 +00:00
libclang_rt
libcom_err new depends 2015-06-16 23:37:19 +00:00
libcompat Add META_MODE support. 2015-06-13 19:20:56 +00:00
libcompiler_rt Annotate arm userspace assembler sources stating their tolerance to 2015-09-29 16:09:58 +00:00
libcrypt META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libcuse META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libcxxrt META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libdevctl
libdevinfo Add META_MODE support. 2015-06-13 19:20:56 +00:00
libdevstat Add META_MODE support. 2015-06-13 19:20:56 +00:00
libdpv Add META_MODE support. 2015-06-13 19:20:56 +00:00
libdwarf new depends 2015-06-16 23:37:19 +00:00
libedit Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libefi
libelf Add META_MODE support. 2015-06-13 19:20:56 +00:00
libelftc Pay attention to MK_ELFTOOLCHAIN_TOOLS so we build the desired tools. 2015-06-15 20:11:15 +00:00
libevent META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libexecinfo Add META_MODE support. 2015-06-13 19:20:56 +00:00
libexpat Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libfetch Fix non-POSIX-compliant use of getaddrinfo in libfetch 2015-09-25 14:24:23 +00:00
libfigpar Add META_MODE support. 2015-06-13 19:20:56 +00:00
libgeom Plug memory leaks when running out of memory. 2015-08-28 06:41:40 +00:00
libgpib META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libgpio Bump .Dd for the example code update. 2015-07-01 16:50:01 +00:00
libgssapi Add META_MODE support. 2015-06-13 19:20:56 +00:00
libiconv_modules META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libipsec New AES modes for IPSec, user space components. 2015-07-03 20:09:14 +00:00
libjail Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libkiconv Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libkvm Add support to libkvm for reading minidumps on arm64. The kernel side is 2015-08-20 11:07:51 +00:00
libldns new depends 2015-06-16 23:37:19 +00:00
liblzma Replace beforeinstall: handling with FILES. 2015-09-18 23:49:32 +00:00
libmagic MFV r288140: update file to 5.25. 2015-09-23 05:39:20 +00:00
libmd Add new include path for sha256.h 2015-07-12 03:39:36 +00:00
libmemstat Add META_MODE support. 2015-06-13 19:20:56 +00:00
libmilter META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libmp new depends 2015-06-16 23:37:19 +00:00
libmt Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libnandfs
libnetbsd Add META_MODE support. 2015-06-13 19:20:56 +00:00
libnetgraph Add META_MODE support. 2015-06-13 19:20:56 +00:00
libngatm Add META_MODE support. 2015-06-13 19:20:56 +00:00
libnv Add support for the arrays in nvlist library. 2015-08-15 06:34:49 +00:00
libohash Add META_MODE support. 2015-06-13 19:20:56 +00:00
libopie new depends 2015-06-16 23:37:19 +00:00
libpam Restore the upstream (and documented) behavior of searching for modules 2015-09-21 17:26:35 +00:00
libpcap Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libpjdlog Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libpmc Add META_MODE support. 2015-06-13 19:20:56 +00:00
libproc Enable libproc symbol_lookup tests on arm64 2015-08-31 20:30:06 +00:00
libprocstat Detect badly behaved coredump note helpers 2015-09-03 20:32:10 +00:00
libradius new depends 2015-06-16 23:37:19 +00:00
librpcsec_gss META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
librpcsvc Add META_MODE support. 2015-06-13 19:20:56 +00:00
librt Add META_MODE support. 2015-06-13 19:20:56 +00:00
librtld_db Add META_MODE support. 2015-06-13 19:20:56 +00:00
libsbuf new depends 2015-06-16 23:37:19 +00:00
libsdp Add META_MODE support. 2015-06-13 19:20:56 +00:00
libsm Update META_MODE dependencies. 2015-09-17 05:06:34 +00:00
libsmb META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libsmdb Add META_MODE support. 2015-06-13 19:20:56 +00:00
libsmutil Add META_MODE support. 2015-06-13 19:20:56 +00:00
libsqlite3 Move the USE_PREAD configuration knob out of the middle of the autoconf 2015-08-09 05:54:53 +00:00
libstand META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libstdbuf META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libstdthreads META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libtacplus Add META_MODE support. 2015-06-13 19:20:56 +00:00
libtelnet Add META_MODE support. 2015-06-13 19:20:56 +00:00
libthr Style. Use ANSI definition, wrap long lines, no initialization in 2015-09-08 08:48:53 +00:00
libthread_db new depends 2015-06-16 23:37:19 +00:00
libucl Add META_MODE support. 2015-06-13 19:20:56 +00:00
libufs Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libugidfw Fix 'ugidfw remove' after r284251 incorrectly changed it. 2015-09-29 18:48:12 +00:00
libulog Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
libunbound META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libusb Replace beforeinstall: handling with FILES. 2015-09-18 23:49:32 +00:00
libusbhid Add META_MODE support. 2015-06-13 19:20:56 +00:00
libutil Detect badly behaved coredump note helpers 2015-09-03 20:32:10 +00:00
libvgl META_MODE: Remove DEP_RELDIR from Makefile.depend files. 2015-09-25 19:26:08 +00:00
libvmmapi Move the 'devmem' device nodes from /dev/vmm to /dev/vmm.io 2015-07-06 19:41:43 +00:00
libwrap Add META_MODE support. 2015-06-13 19:20:56 +00:00
libxo Update META_MODE dependencies. 2015-09-17 05:06:34 +00:00
liby Add META_MODE support. 2015-06-13 19:20:56 +00:00
libypclnt new depends 2015-06-16 23:37:19 +00:00
libz Replace beforeinstall: handling with FILES. 2015-09-18 23:49:32 +00:00
msun In libm's exp2(3), avoid left-shifting a negative integer, which is 2015-08-09 10:00:13 +00:00
ncurses Add missing CLEANFILES. 2015-09-26 01:04:52 +00:00
tests
Makefile Roll WITHOUT_ELFTOOLCHAIN_TOOLS into WITHOUT_TOOLCHAIN 2015-08-13 17:50:47 +00:00
Makefile.inc