hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-27 11:20:58 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
56afe65ca9
HardenedBSD/bin
History
Jilles Tjoelker d358fa780b wordexp: Rewrite to make WRDE_NOCMD reliable. 
Shell syntax is too complicated to detect command substitution and unquoted
operators reliably without implementing much of sh's parser. Therefore, have
sh do this detection.

While changing sh's support anyway, also read input from a pipe instead of
arguments to avoid {ARG_MAX} limits and improve privacy, and output count
and length using 16 instead of 8 digits.

The basic concept is:
execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2",
    "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>);

The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to
fail strings containing unquoted braces with code WRDE_BADCHAR. Since this
is normally not a syntax error in sh, there is still a need for checking
code in libc, we_check().

The new we_check() is an optimistic check that all the characters
  <newline> | & ; < > ( ) { }
are quoted. To avoid duplicating too much sh logic, such characters are
permitted when quoting characters are seen, even if the quoting characters
may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad
characters that get past it and are a syntax error in sh return WRDE_SYNTAX.

Although many implementations of WRDE_NOCMD erroneously allow some command
substitutions (and ours even documented this), there appears to be code that
relies on its security (codesearch.debian.net shows quite a few uses).
Passing untrusted data to wordexp() still exposes a denial of service
possibility and a fairly large attack surface.

Reviewed by:	wblock (man page only)
MFC after:	2 weeks
Relnotes:	yes
Security:	fixes command execution with wordexp(untrusted, WRDE_NOCMD)
2015-09-30 21:32:29 +00:00
..
cat
chflags
chio
chmod
cp
csh
date
dd Mention the dd-like recoverdisk(1) to help folks find this great BSD command. 2015-07-16 23:38:12 +00:00
df Use exit() instead of return in main(). 2015-08-28 00:44:58 +00:00
domainname
echo
ed
expr
freebsd-version
getfacl
hostname
kenv
kill
ln
ls Skip the B_flag testcase to stop blowing up freebsd-current@ with 2015-09-30 17:43:02 +00:00
mkdir
mv mv: Improve message when moving two or more files to non-directory. 2015-06-28 21:36:00 +00:00
pax
pkill Make pkill/pgrep -j ARG take jname, not just jid. 2015-08-22 05:04:36 +00:00
ps Update META_MODE dependencies. 2015-09-17 05:06:34 +00:00
pwait
pwd
rcp
realpath
rm Respect locale settings. 2015-08-28 00:49:30 +00:00
rmail
rmdir
setfacl Expose an interface to determine if an ACE is inherited. 2015-09-04 00:14:20 +00:00
sh wordexp: Rewrite to make WRDE_NOCMD reliable. 2015-09-30 21:32:29 +00:00
sleep
stty Prevent potential integer overflow 2015-07-13 05:59:41 +00:00
sync
test
tests
uuidgen
Makefile
Makefile.inc