diff options
| author |  netblue30 <netblue30@protonmail.com> | 2023-02-14 11:33:35 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2023-02-14 11:33:35 -0500 |
| commit | b4ffaa207419715a81525e48e4ceb59d471047ee (patch) | |
| tree | 41dc01c1311770cc2d98f841c78b83194a9e2eaa | |
| parent | Merge pull request #5613 from layderv/escape-cntrl-sequences (diff) | |
| download | firejail-b4ffaa207.tar.gz firejail-b4ffaa207.tar.zst firejail-b4ffaa207.zip | |
merges; more on cleaning up esc chars
| -rw-r--r-- | README | 1 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 16 | ||||
| -rw-r--r-- | src/firejail/util.c | 23 | ||||
| -rw-r--r-- | src/lib/pid.c | 8 |
5 files changed, 31 insertions, 18 deletions
| @@ -685,6 +685,7 @@ LaurentGH (https://github.com/LaurentGH) | |||
| 685 | - allow private-bin parameters to be absolute paths | 685 | - allow private-bin parameters to be absolute paths |
| 686 | layderv (https://github.com/layderv) | 686 | layderv (https://github.com/layderv) |
| 687 | - prevent sandbox name from containing only digits | 687 | - prevent sandbox name from containing only digits |
| 688 | - clean escape control characters from the command line | ||
| 688 | lecso7 (https://github.com/lecso7) | 689 | lecso7 (https://github.com/lecso7) |
| 689 | - added goldendict profile | 690 | - added goldendict profile |
| 690 | - allow evince to read .cbz file format | 691 | - allow evince to read .cbz file format |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a09158e9e..d1ecb1466 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -525,6 +525,7 @@ int macro_id(const char *name); | |||
| 525 | 525 | ||
| 526 | 526 | ||
| 527 | // util.c | 527 | // util.c |
| 528 | int invalid_name(const char *name); | ||
| 528 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); | 529 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); |
| 529 | void fwarning(char* fmt, ...); | 530 | void fwarning(char* fmt, ...); |
| 530 | void fmessage(char* fmt, ...); | 531 | void fmessage(char* fmt, ...); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8df6926ee..41ad3308f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -2182,16 +2182,8 @@ int main(int argc, char **argv, char **envp) { | |||
| 2182 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2182 | fprintf(stderr, "Error: please provide a name for sandbox\n"); |
| 2183 | return 1; | 2183 | return 1; |
| 2184 | } | 2184 | } |
| 2185 | const char *c = cfg.name; | 2185 | if (invalid_name(cfg.name)) { |
| 2186 | while (*c) { | 2186 | fprintf(stderr, "Error: invalid sandbox name\n"); |
| 2187 | if (!isdigit(*c)) { | ||
| 2188 | only_numbers = 0; | ||
| 2189 | break; | ||
| 2190 | } | ||
| 2191 | ++c; | ||
| 2192 | } | ||
| 2193 | if (only_numbers) { | ||
| 2194 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
| 2195 | return 1; | 2187 | return 1; |
| 2196 | } | 2188 | } |
| 2197 | } | 2189 | } |
| @@ -2201,6 +2193,10 @@ int main(int argc, char **argv, char **envp) { | |||
| 2201 | fprintf(stderr, "Error: please provide a hostname for sandbox\n"); | 2193 | fprintf(stderr, "Error: please provide a hostname for sandbox\n"); |
| 2202 | return 1; | 2194 | return 1; |
| 2203 | } | 2195 | } |
| 2196 | if (invalid_name(cfg.hostname)) { | ||
| 2197 | fprintf(stderr, "Error: invalid hostname\n"); | ||
| 2198 | return 1; | ||
| 2199 | } | ||
| 2204 | } | 2200 | } |
| 2205 | else if (strcmp(argv[i], "--nogroups") == 0) | 2201 | else if (strcmp(argv[i], "--nogroups") == 0) |
| 2206 | arg_nogroups = 1; | 2202 | arg_nogroups = 1; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b35225620..8c3a13fb8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -1448,6 +1448,29 @@ static int has_link(const char *dir) { | |||
| 1448 | return 0; | 1448 | return 0; |
| 1449 | } | 1449 | } |
| 1450 | 1450 | ||
| 1451 | // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected | ||
| 1452 | int invalid_name(const char *name) { | ||
| 1453 | const char *c = name; | ||
| 1454 | |||
| 1455 | int only_numbers = 1; | ||
| 1456 | while (*c) { | ||
| 1457 | if (!isalnum(*c)) | ||
| 1458 | return 1; | ||
| 1459 | if (!isdigit(*c)) | ||
| 1460 | only_numbers = 0; | ||
| 1461 | ++c; | ||
| 1462 | } | ||
| 1463 | if (only_numbers) | ||
| 1464 | return 1; | ||
| 1465 | |||
| 1466 | // restrict name to 64 chars max | ||
| 1467 | if (strlen(name) > 64) | ||
| 1468 | return 1; | ||
| 1469 | |||
| 1470 | return 0; | ||
| 1471 | } | ||
| 1472 | |||
| 1473 | |||
| 1451 | void check_homedir(const char *dir) { | 1474 | void check_homedir(const char *dir) { |
| 1452 | assert(dir); | 1475 | assert(dir); |
| 1453 | if (dir[0] != '/') { | 1476 | if (dir[0] != '/') { |
diff --git a/src/lib/pid.c b/src/lib/pid.c index 2e73e85f6..9186b241a 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
| @@ -230,14 +230,6 @@ static void print_elem(unsigned index, int nowrap) { | |||
| 230 | } | 230 | } |
| 231 | free(fname); | 231 | free(fname); |
| 232 | 232 | ||
| 233 | char *sandbox_name_escaped = escape_cntrl_chars(sandbox_name); | ||
| 234 | if (sandbox_name_escaped) { | ||
| 235 | if (sandbox_name_allocated) | ||
| 236 | free(sandbox_name_allocated); | ||
| 237 | sandbox_name = sandbox_name_escaped; | ||
| 238 | sandbox_name_allocated = sandbox_name; | ||
| 239 | } | ||
| 240 | |||
| 241 | if (user == NULL) | 233 | if (user == NULL) |
| 242 | user = ""; | 234 | user = ""; |
| 243 | if (cmd) { | 235 | if (cmd) { |