Changeset 396

Timestamp:

02/22/10 01:59:19 (2 years ago)

Author:

walter

Message:

bugzilla 3420 [PATCH] Allow string import of files using subdirectories

Files:

• branches/dmd-1.x/src/backend/rtlsym.h (modified) (2 diffs)
• branches/dmd-1.x/src/expression.c (modified) (1 diff)
• branches/dmd-1.x/src/root/root.c (modified) (4 diffs)
• branches/dmd-1.x/src/root/root.h (modified) (2 diffs)
• trunk/src/expression.c (modified) (1 diff)
• trunk/src/root/root.c (modified) (4 diffs)
• trunk/src/root/root.h (modified) (2 diffs)

branches/dmd-1.x/src/backend/rtlsym.h

@@ -48 +48 @@
-SYMBOL_MARS(DCOVER,      FLfunc,FREGSAVED,"_d_cover_register", 0, t) \
-SYMBOL_MARS(DASSERT,         FLfunc,FREGSAVED,"_d_assert", SFLexit, t) \
+SYMBOL_MARS(DASSERTM,        FLfunc,FREGSAVED,"_d_assertm", SFLexit, t) \
-SYMBOL_MARS(DASSERT_MSG,     FLfunc,FREGSAVED,"_d_assert_msg", SFLexit, t) \
-SYMBOL_MARS(DARRAY,      FLfunc,FREGSAVED,"_d_array_bounds", SFLexit, t) \
@@ -69 +70 @@
-SYMBOL_MARS(SWITCH_USTRING,FLfunc,FREGSAVED,"_d_switch_ustring", 0, t) \
-SYMBOL_MARS(SWITCH_DSTRING,FLfunc,FREGSAVED,"_d_switch_dstring", 0, t) \
-0
+SFLexit
-SYMBOL_MARS(DHIDDENFUNC,   FLfunc,FREGSAVED,"_d_hidden_func", 0, t) \
-SYMBOL_MARS(NEWCLASS,      FLfunc,FREGSAVED,"_d_newclass", 0, t) \

branches/dmd-1.x/src/expression.c

@@ -5265 +5265 @@
-     */
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-    if (!name)
-, check -Jpath
+ or not in a path specified with -J
-    goto Lerror;
-    }

branches/dmd-1.x/src/root/root.c

@@ -1 +1 @@
-
-09
+10
-// All Rights Reserved
-// written by Walter Bright
-
+http://
-// License for redistribution is by either the Artistic License
-// in artistic.txt, or the GNU General Public License in gnu.txt.
@@ -13 +13 @@
-#include <stdlib.h>
-#include <stdarg.h>
+#include <limits.h>
-#include <string.h>
-#include <stdint.h>
@@ -811 +812 @@
-}
-
+
+/*************************************
+ * Search Path for file in a safe manner.
+ *
+ * Be wary of CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+ * ('Path Traversal') attacks.
+ *  http://cwe.mitre.org/data/definitions/22.html
+ * More info:
+ *  https://www.securecoding.cert.org/confluence/display/seccode/FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources
+ * Returns:
+ *  NULL    file not found
+ *  !=NULL  mem.malloc'd file name
+ */
+
+char *FileName::safeSearchPath(Array *path, const char *name)
+{
+#if _WIN32
+    /* Disallow % / \ : and .. in name characters
+     */
+    for (const char *p = name; *p; p++)
+    {
+    char c = *p;
+    if (c == '\\' || c == '/' || c == ':' || c == '%' ||
+        (c == '.' && p[1] == '.'))
+    {
+        return NULL;
+    }
+    }
+
+    return FileName::searchPath(path, name, 0);
+#elif POSIX
+    /* Even with realpath(), we must check for // and disallow it
+     */
+    for (const char *p = name; *p; p++)
+    {
+    char c = *p;
+    if (c == '/' && p[1] == '/')
+    {
+        return NULL;
+    }
+    }
+
+    if (path)
+    {   unsigned i;
+
+    /* Each path is converted to a cannonical name and then a check is done to see
+     * that the searched name is really a child one of the the paths searched.
+     */
+    for (i = 0; i < path->dim; i++)
+    {
+        char *cname = NULL;
+        char *cpath = canonicalName((char *)path->data[i]);
+        //printf("FileName::safeSearchPath(): name=%s; path=%s; cpath=%s\n",
+        //      name, (char *)path->data[i], cpath);
+        if (cpath == NULL)
+        goto cont;
+        cname = canonicalName(combine(cpath, name));
+        //printf("FileName::safeSearchPath(): cname=%s\n", cname);
+        if (cname == NULL)
+        goto cont;
+        //printf("FileName::safeSearchPath(): exists=%i "
+        //      "strncmp(cpath, cname, %i)=%i\n", exists(cname),
+        //      strlen(cpath), strncmp(cpath, cname, strlen(cpath)));
+        // exists and name is *really* a "child" of path
+        if (exists(cname) && strncmp(cpath, cname, strlen(cpath)) == 0)
+        {
+        free(cpath);
+        char *p = mem.strdup(cname);
+        free(cname);
+        return p;
+        }
+cont:
+        if (cpath)
+        free(cpath);
+        if (cname)
+        free(cname);
+    }
+    }
+    return NULL;
+#else
+    assert(0);
+#endif
+}
+
+
-int FileName::exists(const char *name)
-{
@@ -877 +963 @@
-    }
-}
+
+
+/******************************************
+ * Return canonical version of name in a malloc'd buffer.
+ * This code is high risk.
+ */
+char *FileName::canonicalName(const char *name)
+{
+#if linux
+    // Lovely glibc extension to do it for us
+    return canonicalize_file_name(name);
+#elif POSIX
+  #if _POSIX_VERSION >= 200809L || defined (linux)
+    // NULL destination buffer is allowed and preferred
+    return realpath(name, NULL);
+  #else
+    char *cname = NULL;
+    #if PATH_MAX
+    /* PATH_MAX must be defined as a constant in <limits.h>,
+     * otherwise using it is unsafe due to TOCTOU
+     */
+    size_t path_max = (size_t)PATH_MAX;
+    if (path_max > 0)
+    {
+        /* Need to add one to PATH_MAX because of realpath() buffer overflow bug:
+         * http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
+         */
+        cname = (char *)malloc(path_max + 1);
+        if (cname == NULL)
+        return NULL;
+    }
+    #endif
+    return realpath(name, cname);
+  #endif
+#elif _WIN32
+    /* Apparently, there is no good way to do this on Windows.
+     * GetFullPathName isn't it.
+     */
+    assert(0);
+    return NULL;
+#else
+    assert(0);
+    return NULL;
+#endif
+}
+
-
-/****************************** File ********************************/

branches/dmd-1.x/src/root/root.h

@@ -1 +1 @@
-
-
-06
+10
-// All Rights Reserved
-// written by Walter Bright
-
+http://
-// License for redistribution is by either the Artistic License
-// in artistic.txt, or the GNU General Public License in gnu.txt.
@@ -149 +149 @@
-    void CopyTo(FileName *to);
-    static char *searchPath(Array *path, const char *name, int cwd);
+    static char *safeSearchPath(Array *path, const char *name);
-    static int exists(const char *name);
-    static void ensurePathExists(const char *path);
+    static char *canonicalName(const char *name);
-};
-

trunk/src/expression.c

@@ -5607 +5607 @@
-     */
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-    if (!name)
-, check -Jpath
+ or not in a path specified with -J
-    goto Lerror;
-    }

trunk/src/root/root.c

@@ -1 +1 @@
-
-09
+10
-// All Rights Reserved
-// written by Walter Bright
-
+http://
-// License for redistribution is by either the Artistic License
-// in artistic.txt, or the GNU General Public License in gnu.txt.
@@ -13 +13 @@
-#include <stdlib.h>
-#include <stdarg.h>
+#include <limits.h>
-#include <string.h>
-#include <stdint.h>
@@ -811 +812 @@
-}
-
+
+/*************************************
+ * Search Path for file in a safe manner.
+ *
+ * Be wary of CWE-22: Improper Limitation of a Pathname to a Restricted Directory
+ * ('Path Traversal') attacks.
+ *  http://cwe.mitre.org/data/definitions/22.html
+ * More info:
+ *  https://www.securecoding.cert.org/confluence/display/seccode/FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources
+ * Returns:
+ *  NULL    file not found
+ *  !=NULL  mem.malloc'd file name
+ */
+
+char *FileName::safeSearchPath(Array *path, const char *name)
+{
+#if _WIN32
+    /* Disallow % / \ : and .. in name characters
+     */
+    for (const char *p = name; *p; p++)
+    {
+    char c = *p;
+    if (c == '\\' || c == '/' || c == ':' || c == '%' ||
+        (c == '.' && p[1] == '.'))
+    {
+        return NULL;
+    }
+    }
+
+    return FileName::searchPath(path, name, 0);
+#elif POSIX
+    /* Even with realpath(), we must check for // and disallow it
+     */
+    for (const char *p = name; *p; p++)
+    {
+    char c = *p;
+    if (c == '/' && p[1] == '/')
+    {
+        return NULL;
+    }
+    }
+
+    if (path)
+    {   unsigned i;
+
+    /* Each path is converted to a cannonical name and then a check is done to see
+     * that the searched name is really a child one of the the paths searched.
+     */
+    for (i = 0; i < path->dim; i++)
+    {
+        char *cname = NULL;
+        char *cpath = canonicalName((char *)path->data[i]);
+        //printf("FileName::safeSearchPath(): name=%s; path=%s; cpath=%s\n",
+        //      name, (char *)path->data[i], cpath);
+        if (cpath == NULL)
+        goto cont;
+        cname = canonicalName(combine(cpath, name));
+        //printf("FileName::safeSearchPath(): cname=%s\n", cname);
+        if (cname == NULL)
+        goto cont;
+        //printf("FileName::safeSearchPath(): exists=%i "
+        //      "strncmp(cpath, cname, %i)=%i\n", exists(cname),
+        //      strlen(cpath), strncmp(cpath, cname, strlen(cpath)));
+        // exists and name is *really* a "child" of path
+        if (exists(cname) && strncmp(cpath, cname, strlen(cpath)) == 0)
+        {
+        free(cpath);
+        char *p = mem.strdup(cname);
+        free(cname);
+        return p;
+        }
+cont:
+        if (cpath)
+        free(cpath);
+        if (cname)
+        free(cname);
+    }
+    }
+    return NULL;
+#else
+    assert(0);
+#endif
+}
+
+
-int FileName::exists(const char *name)
-{
@@ -877 +963 @@
-    }
-}
+
+
+/******************************************
+ * Return canonical version of name in a malloc'd buffer.
+ * This code is high risk.
+ */
+char *FileName::canonicalName(const char *name)
+{
+#if linux
+    // Lovely glibc extension to do it for us
+    return canonicalize_file_name(name);
+#elif POSIX
+  #if _POSIX_VERSION >= 200809L || defined (linux)
+    // NULL destination buffer is allowed and preferred
+    return realpath(name, NULL);
+  #else
+    char *cname = NULL;
+    #if PATH_MAX
+    /* PATH_MAX must be defined as a constant in <limits.h>,
+     * otherwise using it is unsafe due to TOCTOU
+     */
+    size_t path_max = (size_t)PATH_MAX;
+    if (path_max > 0)
+    {
+        /* Need to add one to PATH_MAX because of realpath() buffer overflow bug:
+         * http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
+         */
+        cname = (char *)malloc(path_max + 1);
+        if (cname == NULL)
+        return NULL;
+    }
+    #endif
+    return realpath(name, cname);
+  #endif
+#elif _WIN32
+    /* Apparently, there is no good way to do this on Windows.
+     * GetFullPathName isn't it.
+     */
+    assert(0);
+    return NULL;
+#else
+    assert(0);
+    return NULL;
+#endif
+}
+
-
-/****************************** File ********************************/

trunk/src/root/root.h

@@ -1 +1 @@
-
-
-06
+10
-// All Rights Reserved
-// written by Walter Bright
-
+http://
-// License for redistribution is by either the Artistic License
-// in artistic.txt, or the GNU General Public License in gnu.txt.
@@ -149 +149 @@
-    void CopyTo(FileName *to);
-    static char *searchPath(Array *path, const char *name, int cwd);
+    static char *safeSearchPath(Array *path, const char *name);
-    static int exists(const char *name);
-    static void ensurePathExists(const char *path);
+    static char *canonicalName(const char *name);
-};
-