Lines 56-61
Link Here
|
56 |
#ifdef HAVE_LIBGEN_H |
56 |
#ifdef HAVE_LIBGEN_H |
57 |
#include <libgen.h> |
57 |
#include <libgen.h> |
58 |
#endif /* HAVE_LIBGEN_H */ |
58 |
#endif /* HAVE_LIBGEN_H */ |
|
|
59 |
#include <regex.h> |
59 |
|
60 |
|
60 |
/* LOCAL INCLUDES */ |
61 |
/* LOCAL INCLUDES */ |
61 |
#include "pathnames.h" |
62 |
#include "pathnames.h" |
Lines 198-203
bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
Link Here
|
198 |
|
199 |
|
199 |
|
200 |
|
200 |
/* |
201 |
/* |
|
|
202 |
* rsync_e_okay() - take the command line passed to rssh and look for an -e |
203 |
* option. If one is found, make sure --server is provided |
204 |
* and the option contains only the protocol information. |
205 |
* Also check for and reject any --rsh option. Returns FALSE |
206 |
* if the command line should not be allowed, TRUE if it is |
207 |
* okay. |
208 |
*/ |
209 |
static int rsync_e_okay( char **vec ) |
210 |
{ |
211 |
regex_t re; |
212 |
int server = FALSE; |
213 |
int e_found = FALSE; |
214 |
|
215 |
/* |
216 |
* rsync will send -e, followed by either just "." (meaning no special |
217 |
* protocol) or "N.N" (meaning a pre-release protocol version), |
218 |
* followed by some number of alphabetic flags indicating various |
219 |
* supported options. There may be other options between - and the e, |
220 |
* but -e will always be the last option in the string. A typical |
221 |
* option passed by the client is "-ltpre.iL". |
222 |
* |
223 |
* Note that if --server is given, this should never be parsed as a |
224 |
* shell, but we'll tightly verify it anyway, just in case. |
225 |
* |
226 |
* This regex matches the acceptable flags containing -e, so if it |
227 |
* does not match, the command line should be rejected. |
228 |
*/ |
229 |
static const char pattern[] |
230 |
= "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$"; |
231 |
|
232 |
/* |
233 |
* Only recognize --server if it's the first option. rsync itself |
234 |
* always passes it that way, and if it's not the first argument, it |
235 |
* could be hidden from the server as an argument to some other |
236 |
* option. |
237 |
*/ |
238 |
if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ |
239 |
server = TRUE; |
240 |
} |
241 |
|
242 |
/* Check the remaining options for -e or --rsh. */ |
243 |
if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ |
244 |
return FALSE; |
245 |
} |
246 |
while (vec && *vec){ |
247 |
if ( strcmp(*vec, "--") == 0 ) break; |
248 |
if ( strcmp(*vec, "--rsh") == 0 |
249 |
|| strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){ |
250 |
regfree(&re); |
251 |
return FALSE; |
252 |
} |
253 |
if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ |
254 |
e_found = TRUE; |
255 |
if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ |
256 |
regfree(&re); |
257 |
return FALSE; |
258 |
} |
259 |
} |
260 |
vec++; |
261 |
} |
262 |
regfree(&re); |
263 |
if ( e_found && !server ) return FALSE; |
264 |
return TRUE; |
265 |
} |
266 |
|
267 |
|
268 |
/* |
201 |
* check_command_line() - take the command line passed to rssh, and verify |
269 |
* check_command_line() - take the command line passed to rssh, and verify |
202 |
* that the specified command is one the user is |
270 |
* that the specified command is one the user is |
203 |
* allowed to run and validate the arguments. Return the |
271 |
* allowed to run and validate the arguments. Return the |
Lines 230-243
char *check_command_line( char **cl, ShellOptions_t *opts )
Link Here
|
230 |
|
298 |
|
231 |
if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ |
299 |
if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ |
232 |
/* filter -e option */ |
300 |
/* filter -e option */ |
233 |
if ( opt_filter(cl, 'e') ) return NULL; |
301 |
if ( !rsync_e_okay(cl) ){ |
234 |
while (cl && *cl){ |
302 |
fprintf(stderr, "\ninsecure -e or --rsh option not allowed."); |
235 |
if ( strstr(*cl, "--rsh" ) ){ |
303 |
log_msg("insecure -e or --rsh option in rsync command line!"); |
236 |
fprintf(stderr, "\ninsecure --rsh= not allowed."); |
304 |
return NULL; |
237 |
log_msg("insecure --rsh option in rsync command line!"); |
|
|
238 |
return NULL; |
239 |
} |
240 |
cl++; |
241 |
} |
305 |
} |
242 |
return PATH_RSYNC; |
306 |
return PATH_RSYNC; |
243 |
} |
307 |
} |
244 |
- |
|
|