Attachment #363270 for bug #491258

View | Details | Raw Unified | Return to bug 491258
Collapse All | Expand All




#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#endif /* HAVE_LIBGEN_H */
#include <regex.h>

/* LOCAL INCLUDES */
#include "pathnames.h"



/*
 * rsync_e_okay() - take the command line passed to rssh and look for an -e
 *		    option.  If one is found, make sure --server is provided
 *		    and the option contains only the protocol information.
 *		    Also check for and reject any --rsh option.	 Returns FALSE
 *		    if the command line should not be allowed, TRUE if it is
 *		    okay.
 */
static int rsync_e_okay( char **vec )
{
	regex_t	re;
	int	server = FALSE;
	int	e_found = FALSE;

	/*
	 * rsync will send -e, followed by either just "." (meaning no special
	 * protocol) or "N.N" (meaning a pre-release protocol version),
	 * followed by some number of alphabetic flags indicating various
	 * supported options.  There may be other options between - and the e,
	 * but -e will always be the last option in the string.	 A typical
	 * option passed by the client is "-ltpre.iL".
	 *
	 * Note that if --server is given, this should never be parsed as a
	 * shell, but we'll tightly verify it anyway, just in case.
	 *
	 * This regex matches the acceptable flags containing -e, so if it
	 * does not match, the command line should be rejected.
	 */
	static const char pattern[]
	    = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";

	/*
	 * Only recognize --server if it's the first option.  rsync itself
	 * always passes it that way, and if it's not the first argument, it
	 * could be hidden from the server as an argument to some other
	 * option.
	 */
	if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
		server = TRUE;
	}

	/* Check the remaining options for -e or --rsh. */
	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
		return FALSE;
	}
	while (vec && *vec){
		if ( strcmp(*vec, "--") == 0 ) break;
		if ( strcmp(*vec, "--rsh") == 0
		     || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
			regfree(&re);
			return FALSE;
		}
		if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
			e_found = TRUE;
			if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
				regfree(&re);
				return FALSE;
			}
		}
		vec++;
	}
	regfree(&re);
	if ( e_found && !server ) return FALSE;
	return TRUE;
}


/*
 * check_command_line() - take the command line passed to rssh, and verify
 *			  that the specified command is one the user is
 *			  allowed to run and validate the arguments.  Return the


	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
		/* filter -e option */
		if ( !rsync_e_okay(cl) ){
			fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
			log_msg("insecure -e or --rsh option in rsync command line!");
			return NULL;
				log_msg("insecure --rsh option in rsync command line!");
				return NULL;
			}
			cl++;
		}
		return PATH_RSYNC;
	}
- 

Return to bug 491258

Lines 56-61 Link Here

(-)a/util.c (-9 / +72 lines)
56	#ifdef HAVE_LIBGEN_H	56	#ifdef HAVE_LIBGEN_H
57	#include <libgen.h>	57	#include <libgen.h>
58	#endif /* HAVE_LIBGEN_H */	58	#endif /* HAVE_LIBGEN_H */
		59	#include <regex.h>
59		60
60	/* LOCAL INCLUDES */	61	/* LOCAL INCLUDES */
61	#include "pathnames.h"	62	#include "pathnames.h"
Lines 198-203 bool check_command( char cl, ShellOptions_t opts, char *cmd, int cmdflag ) Link Here
198		199
199		200
200	/*	201	/*
		202	* rsync_e_okay() - take the command line passed to rssh and look for an -e
		203	* option. If one is found, make sure --server is provided
		204	* and the option contains only the protocol information.
		205	* Also check for and reject any --rsh option. Returns FALSE
		206	* if the command line should not be allowed, TRUE if it is
		207	* okay.
		208	*/
		209	static int rsync_e_okay( char **vec )
		210	{
		211	regex_t re;
		212	int server = FALSE;
		213	int e_found = FALSE;
		214
		215	/*
		216	* rsync will send -e, followed by either just "." (meaning no special
		217	* protocol) or "N.N" (meaning a pre-release protocol version),
		218	* followed by some number of alphabetic flags indicating various
		219	* supported options. There may be other options between - and the e,
		220	* but -e will always be the last option in the string. A typical
		221	* option passed by the client is "-ltpre.iL".
		222	*
		223	* Note that if --server is given, this should never be parsed as a
		224	* shell, but we'll tightly verify it anyway, just in case.
		225	*
		226	* This regex matches the acceptable flags containing -e, so if it
		227	* does not match, the command line should be rejected.
		228	*/
		229	static const char pattern[]
		230	= "^-[a-df-zA-Z]e[0-9]\\.[0-9][a-zA-Z]$";
		231
		232	/*
		233	* Only recognize --server if it's the first option. rsync itself
		234	* always passes it that way, and if it's not the first argument, it
		235	* could be hidden from the server as an argument to some other
		236	* option.
		237	*/
		238	if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
		239	server = TRUE;
		240	}
		241
		242	/* Check the remaining options for -e or --rsh. */
		243	if ( regcomp(&re, pattern, REG_EXTENDED \| REG_NOSUB) != 0 ){
		244	return FALSE;
		245	}
		246	while (vec && *vec){
		247	if ( strcmp(*vec, "--") == 0 ) break;
		248	if ( strcmp(*vec, "--rsh") == 0
		249	\|\| strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
		250	regfree(&re);
		251	return FALSE;
		252	}
		253	if ( strncmp(vec, "--", 2) != 0 && opt_exist(vec, 'e') ){
		254	e_found = TRUE;
		255	if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
		256	regfree(&re);
		257	return FALSE;
		258	}
		259	}
		260	vec++;
		261	}
		262	regfree(&re);
		263	if ( e_found && !server ) return FALSE;
		264	return TRUE;
		265	}
266
267
268	/*
201	* check_command_line() - take the command line passed to rssh, and verify	269	* check_command_line() - take the command line passed to rssh, and verify
202	* that the specified command is one the user is	270	* that the specified command is one the user is
203	* allowed to run and validate the arguments. Return the	271	* allowed to run and validate the arguments. Return the
Lines 230-243 char check_command_line( char cl, ShellOptions_t opts ) Link Here
230		298
231	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){	299	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
232	/* filter -e option */	300	/* filter -e option */
233	if ( opt_filter(cl, 'e') ) return NULL;	301	if ( !rsync_e_okay(cl) ){
234	while (cl && *cl){	302	fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
235	if ( strstr(*cl, "--rsh" ) ){	303	log_msg("insecure -e or --rsh option in rsync command line!");
236	fprintf(stderr, "\ninsecure --rsh= not allowed.");	304	return NULL;
237	log_msg("insecure --rsh option in rsync command line!");
238	return NULL;
239	}
240	cl++;
241	}	305	}
242	return PATH_RSYNC;	306	return PATH_RSYNC;
243	}	307	}
244	-