diff options
author | layderv <20249311+layderv@users.noreply.github.com> | 2023-01-15 05:50:31 -0500 |
---|---|---|
committer | layderv <20249311+layderv@users.noreply.github.com> | 2023-01-15 05:50:31 -0500 |
commit | ab4bd9c707cd3e872039abd00b3274a01d7dd1c2 (patch) | |
tree | 157e46011a126ef194595350dd5efe743c8d2c4a /src | |
parent | RELNOTES: add related PR to --apparmor= item (diff) | |
download | firejail-ab4bd9c707cd3e872039abd00b3274a01d7dd1c2.tar.gz firejail-ab4bd9c707cd3e872039abd00b3274a01d7dd1c2.tar.zst firejail-ab4bd9c707cd3e872039abd00b3274a01d7dd1c2.zip |
Escape control characters
Names and commands can contain control characters:
```
firejail --name="$(echo -e '\e[31mRed\n\b\b\bText\e[0m')" sleep 10s
```
results in "Text" printed in red.
Prevent commands like `--tree` to control the terminal.
Diffstat (limited to 'src')
-rw-r--r-- | src/include/common.h | 1 | ||||
-rw-r--r-- | src/lib/common.c | 55 | ||||
-rw-r--r-- | src/lib/pid.c | 16 |
3 files changed, 71 insertions, 1 deletions
diff --git a/src/include/common.h b/src/include/common.h index ed6560701..dc80e678d 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -143,6 +143,7 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); | |||
143 | int pid_hidepid(void); | 143 | int pid_hidepid(void); |
144 | char *do_replace_cntrl_chars(char *str, char c); | 144 | char *do_replace_cntrl_chars(char *str, char c); |
145 | char *replace_cntrl_chars(const char *str, char c); | 145 | char *replace_cntrl_chars(const char *str, char c); |
146 | char *escape_cntrl_chars(const char *str); | ||
146 | int has_cntrl_chars(const char *str); | 147 | int has_cntrl_chars(const char *str); |
147 | void reject_cntrl_chars(const char *fname); | 148 | void reject_cntrl_chars(const char *fname); |
148 | void reject_meta_chars(const char *fname, int globbing); | 149 | void reject_meta_chars(const char *fname, int globbing); |
diff --git a/src/lib/common.c b/src/lib/common.c index 111366782..338e9316c 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -404,6 +404,61 @@ char *replace_cntrl_chars(const char *str, char c) { | |||
404 | return rv; | 404 | return rv; |
405 | } | 405 | } |
406 | 406 | ||
407 | char *escape_cntrl_chars(const char *str) { | ||
408 | if (str) { | ||
409 | unsigned int cntrl_chars = 0; | ||
410 | const char *c = str; | ||
411 | while (*c) { | ||
412 | switch (*c++) { | ||
413 | case '\b': | ||
414 | case '\a': | ||
415 | case '\e': | ||
416 | case '\f': | ||
417 | case '\n': | ||
418 | case '\r': | ||
419 | case '\t': | ||
420 | case '\v': | ||
421 | case '\"': | ||
422 | case '\'': | ||
423 | case '\?': | ||
424 | case '\\': | ||
425 | ++cntrl_chars; | ||
426 | default: break; | ||
427 | } | ||
428 | } | ||
429 | char *rv = malloc(strlen(str) + cntrl_chars + 1); | ||
430 | char *ptr = rv; | ||
431 | if (!rv) | ||
432 | errExit("malloc"); | ||
433 | c = str; | ||
434 | while (*c) { | ||
435 | if (iscntrl(*c)) { | ||
436 | *ptr++ = '\\'; | ||
437 | switch (*c) { | ||
438 | case '\b': *ptr++ = 'b'; break; | ||
439 | case '\a': *ptr++ = 'a'; break; | ||
440 | case '\e': *ptr++ = 'e'; break; | ||
441 | case '\f': *ptr++ = 'f'; break; | ||
442 | case '\n': *ptr++ = 'n'; break; | ||
443 | case '\r': *ptr++ = 'r'; break; | ||
444 | case '\t': *ptr++ = 't'; break; | ||
445 | case '\v': *ptr++ = 'v'; break; | ||
446 | case '\"': *ptr++ = '\"'; break; | ||
447 | case '\'': *ptr++ = '\''; break; | ||
448 | case '\?': *ptr++ = '?'; break; | ||
449 | case '\\': *ptr++ = '\\'; break; | ||
450 | } | ||
451 | } else { | ||
452 | *ptr++ = *c; | ||
453 | } | ||
454 | c++; | ||
455 | } | ||
456 | *ptr = '\0'; | ||
457 | return rv; | ||
458 | } | ||
459 | return NULL; | ||
460 | } | ||
461 | |||
407 | int has_cntrl_chars(const char *str) { | 462 | int has_cntrl_chars(const char *str) { |
408 | assert(str); | 463 | assert(str); |
409 | 464 | ||
diff --git a/src/lib/pid.c b/src/lib/pid.c index 5e9b20c94..cb9686648 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -197,6 +197,12 @@ static void print_elem(unsigned index, int nowrap) { | |||
197 | char *user = pid_get_user_name(uid); | 197 | char *user = pid_get_user_name(uid); |
198 | char *user_allocated = user; | 198 | char *user_allocated = user; |
199 | 199 | ||
200 | char *cmd_escape = escape_cntrl_chars(cmd); | ||
201 | if (cmd_escape) { | ||
202 | free(cmd); | ||
203 | cmd = cmd_escape; | ||
204 | } | ||
205 | |||
200 | // extract sandbox name - pid == index | 206 | // extract sandbox name - pid == index |
201 | char *sandbox_name = ""; | 207 | char *sandbox_name = ""; |
202 | char *sandbox_name_allocated = NULL; | 208 | char *sandbox_name_allocated = NULL; |
@@ -224,7 +230,15 @@ static void print_elem(unsigned index, int nowrap) { | |||
224 | } | 230 | } |
225 | free(fname); | 231 | free(fname); |
226 | 232 | ||
227 | if (user ==NULL) | 233 | char *sandbox_name_escape = escape_cntrl_chars(sandbox_name); |
234 | if (sandbox_name_escape) { | ||
235 | if (sandbox_name_allocated) | ||
236 | free(sandbox_name_allocated); | ||
237 | sandbox_name = sandbox_name_escape; | ||
238 | sandbox_name_allocated = sandbox_name; | ||
239 | } | ||
240 | |||
241 | if (user == NULL) | ||
228 | user = ""; | 242 | user = ""; |
229 | if (cmd) { | 243 | if (cmd) { |
230 | if (col < 4 || nowrap) | 244 | if (col < 4 || nowrap) |