diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 10 |
3 files changed, 16 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d816d42e2..315a8c7f4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -262,6 +262,7 @@ void update_map(char *mapping, char *map_file); | |||
262 | void wait_for_other(int fd); | 262 | void wait_for_other(int fd); |
263 | void notify_other(int fd); | 263 | void notify_other(int fd); |
264 | char *expand_home(const char *path, const char* homedir); | 264 | char *expand_home(const char *path, const char* homedir); |
265 | const char *gnu_basename(const char *path); | ||
265 | 266 | ||
266 | // fs_var.c | 267 | // fs_var.c |
267 | void fs_var_log(void); // mounting /var/log | 268 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8632952a4..14c76a144 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -215,8 +215,12 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
215 | 215 | ||
216 | size_t i, j; | 216 | size_t i, j; |
217 | for (i = 0; i < globbuf.gl_pathc; i++) { | 217 | for (i = 0; i < globbuf.gl_pathc; i++) { |
218 | char* path = globbuf.gl_pathv[i]; | 218 | char *path = globbuf.gl_pathv[i]; |
219 | assert(path); | 219 | assert(path); |
220 | // /home/me/.* can glob to /home/me/.. which would blacklist /home/ | ||
221 | const char *base = gnu_basename(path); | ||
222 | if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0) | ||
223 | continue; | ||
220 | // noblacklist is expected to be short in normal cases, so stupid and correct brute force is okay | 224 | // noblacklist is expected to be short in normal cases, so stupid and correct brute force is okay |
221 | bool okay_to_blacklist = true; | 225 | bool okay_to_blacklist = true; |
222 | for (j = 0; j < noblacklist_len; j++) { | 226 | for (j = 0; j < noblacklist_len; j++) { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 59b975b4f..a9e96266c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -482,3 +482,13 @@ char *expand_home(const char *path, const char* homedir) | |||
482 | return strdup(path); | 482 | return strdup(path); |
483 | } | 483 | } |
484 | 484 | ||
485 | // Equivalent to the GNU version of basename, which is incompatible with | ||
486 | // the POSIX basename. A few lines of code saves any portability pain. | ||
487 | // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename | ||
488 | const char *gnu_basename(const char *path) | ||
489 | { | ||
490 | const char *last_slash = strrchr(path, '/'); | ||
491 | if (!last_slash) | ||
492 | return path; | ||
493 | return last_slash+1; | ||
494 | } | ||