fix --private-cwd problem

author: netblue30 <netblue30@protonmail.com> 2021-12-19 14:49:35 -0500
committer: netblue30 <netblue30@protonmail.com> 2021-12-19 14:49:35 -0500
commit: d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f (patch)
tree: 5296957c4fa8ee5036e862bb36e46d8c01fc4b0d /src/firejail/fs_home.c
parent: Merge branch 'master' of ssh://github.com/netblue30/firejail (diff)
download: firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.tar.gz
firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.tar.zst
firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.zip
1 files changed, 9 insertions, 4 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4558934da..b410ba68e 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) {
 void fs_check_private_cwd(const char *dir) {
        EUID_ASSERT();
        invalid_filename(dir, 0); // no globbing
+        if (strcmp(dir, ".") == 0 || *dir != '/')
+                goto errout;
        // Expand the working directory
        cfg.cwd = expand_macros(dir);
        // realpath/is_dir not used because path may not exist outside of jail
-        if (strstr(cfg.cwd, "..")) {
+        if (strstr(cfg.cwd, ".."))
-                fprintf(stderr, "Error: invalid private working directory\n");
+                goto errout;
-                exit(1);
-        }
+        return;
+errout:
+        fprintf(stderr, "Error: invalid private working directory\n");
+        exit(1);
 }
 //***********************************************************************************
author	netblue30 <netblue30@protonmail.com>	2021-12-19 14:49:35 -0500
committer	netblue30 <netblue30@protonmail.com>	2021-12-19 14:49:35 -0500
commit	d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f (patch)
tree	5296957c4fa8ee5036e862bb36e46d8c01fc4b0d /src/firejail/fs_home.c
parent	Merge branch 'master' of ssh://github.com/netblue30/firejail (diff)
download	firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.tar.gz firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.tar.zst firejail-d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f.zip

diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4558934da..b410ba68e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) {
456	void fs_check_private_cwd(const char *dir) {	456	void fs_check_private_cwd(const char *dir) {
457	EUID_ASSERT();	457	EUID_ASSERT();
458	invalid_filename(dir, 0); // no globbing	458	invalid_filename(dir, 0); // no globbing
		459	if (strcmp(dir, ".") == 0 \|\| *dir != '/')
		460	goto errout;
459		461
460	// Expand the working directory	462	// Expand the working directory
461	cfg.cwd = expand_macros(dir);	463	cfg.cwd = expand_macros(dir);
462		464
463	// realpath/is_dir not used because path may not exist outside of jail	465	// realpath/is_dir not used because path may not exist outside of jail
464	if (strstr(cfg.cwd, "..")) {	466	if (strstr(cfg.cwd, ".."))
465	fprintf(stderr, "Error: invalid private working directory\n");	467	goto errout;
466	exit(1);	468
467	}	469	return;
		470	errout:
		471	fprintf(stderr, "Error: invalid private working directory\n");
		472	exit(1);
468	}	473	}
469		474
470	//***********************************************************************************	475	//***********************************************************************************