diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/util.c | 23 | ||||
-rw-r--r-- | src/lib/pid.c | 8 |
5 files changed, 31 insertions, 18 deletions
@@ -685,6 +685,7 @@ LaurentGH (https://github.com/LaurentGH) | |||
685 | - allow private-bin parameters to be absolute paths | 685 | - allow private-bin parameters to be absolute paths |
686 | layderv (https://github.com/layderv) | 686 | layderv (https://github.com/layderv) |
687 | - prevent sandbox name from containing only digits | 687 | - prevent sandbox name from containing only digits |
688 | - clean escape control characters from the command line | ||
688 | lecso7 (https://github.com/lecso7) | 689 | lecso7 (https://github.com/lecso7) |
689 | - added goldendict profile | 690 | - added goldendict profile |
690 | - allow evince to read .cbz file format | 691 | - allow evince to read .cbz file format |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a09158e9e..d1ecb1466 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -525,6 +525,7 @@ int macro_id(const char *name); | |||
525 | 525 | ||
526 | 526 | ||
527 | // util.c | 527 | // util.c |
528 | int invalid_name(const char *name); | ||
528 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); | 529 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); |
529 | void fwarning(char* fmt, ...); | 530 | void fwarning(char* fmt, ...); |
530 | void fmessage(char* fmt, ...); | 531 | void fmessage(char* fmt, ...); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8df6926ee..41ad3308f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2182,16 +2182,8 @@ int main(int argc, char **argv, char **envp) { | |||
2182 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2182 | fprintf(stderr, "Error: please provide a name for sandbox\n"); |
2183 | return 1; | 2183 | return 1; |
2184 | } | 2184 | } |
2185 | const char *c = cfg.name; | 2185 | if (invalid_name(cfg.name)) { |
2186 | while (*c) { | 2186 | fprintf(stderr, "Error: invalid sandbox name\n"); |
2187 | if (!isdigit(*c)) { | ||
2188 | only_numbers = 0; | ||
2189 | break; | ||
2190 | } | ||
2191 | ++c; | ||
2192 | } | ||
2193 | if (only_numbers) { | ||
2194 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
2195 | return 1; | 2187 | return 1; |
2196 | } | 2188 | } |
2197 | } | 2189 | } |
@@ -2201,6 +2193,10 @@ int main(int argc, char **argv, char **envp) { | |||
2201 | fprintf(stderr, "Error: please provide a hostname for sandbox\n"); | 2193 | fprintf(stderr, "Error: please provide a hostname for sandbox\n"); |
2202 | return 1; | 2194 | return 1; |
2203 | } | 2195 | } |
2196 | if (invalid_name(cfg.hostname)) { | ||
2197 | fprintf(stderr, "Error: invalid hostname\n"); | ||
2198 | return 1; | ||
2199 | } | ||
2204 | } | 2200 | } |
2205 | else if (strcmp(argv[i], "--nogroups") == 0) | 2201 | else if (strcmp(argv[i], "--nogroups") == 0) |
2206 | arg_nogroups = 1; | 2202 | arg_nogroups = 1; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index b35225620..8c3a13fb8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1448,6 +1448,29 @@ static int has_link(const char *dir) { | |||
1448 | return 0; | 1448 | return 0; |
1449 | } | 1449 | } |
1450 | 1450 | ||
1451 | // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected | ||
1452 | int invalid_name(const char *name) { | ||
1453 | const char *c = name; | ||
1454 | |||
1455 | int only_numbers = 1; | ||
1456 | while (*c) { | ||
1457 | if (!isalnum(*c)) | ||
1458 | return 1; | ||
1459 | if (!isdigit(*c)) | ||
1460 | only_numbers = 0; | ||
1461 | ++c; | ||
1462 | } | ||
1463 | if (only_numbers) | ||
1464 | return 1; | ||
1465 | |||
1466 | // restrict name to 64 chars max | ||
1467 | if (strlen(name) > 64) | ||
1468 | return 1; | ||
1469 | |||
1470 | return 0; | ||
1471 | } | ||
1472 | |||
1473 | |||
1451 | void check_homedir(const char *dir) { | 1474 | void check_homedir(const char *dir) { |
1452 | assert(dir); | 1475 | assert(dir); |
1453 | if (dir[0] != '/') { | 1476 | if (dir[0] != '/') { |
diff --git a/src/lib/pid.c b/src/lib/pid.c index 2e73e85f6..9186b241a 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -230,14 +230,6 @@ static void print_elem(unsigned index, int nowrap) { | |||
230 | } | 230 | } |
231 | free(fname); | 231 | free(fname); |
232 | 232 | ||
233 | char *sandbox_name_escaped = escape_cntrl_chars(sandbox_name); | ||
234 | if (sandbox_name_escaped) { | ||
235 | if (sandbox_name_allocated) | ||
236 | free(sandbox_name_allocated); | ||
237 | sandbox_name = sandbox_name_escaped; | ||
238 | sandbox_name_allocated = sandbox_name; | ||
239 | } | ||
240 | |||
241 | if (user == NULL) | 233 | if (user == NULL) |
242 | user = ""; | 234 | user = ""; |
243 | if (cmd) { | 235 | if (cmd) { |