samba/patches/samba-3.0.24-shell_escape.patch

Only in source-orig/: configure
diff -u -r source-orig/lib/charcnv.c source/lib/charcnv.c
--- source-orig/lib/charcnv.c	2006-04-19 19:29:23.000000000 -0700
+++ source/lib/charcnv.c	2007-05-10 09:59:49.023262000 -0700
@@ -1398,5 +1398,5 @@
 	/* We're hosed - we don't know how big this is... */
 	DEBUG(10,("next_mb_char_size: unknown size at string %s\n", s));
 	conv_silent = False;
-	return 1;
+	return (size_t)-1;
 }
diff -u -r source-orig/lib/smbrun.c source/lib/smbrun.c
--- source-orig/lib/smbrun.c	2006-04-19 19:29:23.000000000 -0700
+++ source/lib/smbrun.c	2007-05-10 09:57:03.305061000 -0700
@@ -55,7 +55,7 @@
 outfd (or discard it if outfd is NULL).
 ****************************************************************************/
 
-int smbrun(const char *cmd, int *outfd)
+static int smbrun_internal(const char *cmd, int *outfd, BOOL sanitize)
 {
 	pid_t pid;
 	uid_t uid = current_user.ut.uid;
@@ -173,13 +173,36 @@
 	}
 #endif
 
-	execl("/bin/sh","sh","-c",cmd,NULL);  
+	{
+		const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
+		if (!newcmd) {
+			exit(82);
+		}
+		execl("/bin/sh","sh","-c",newcmd,NULL);  
+	}
 	
 	/* not reached */
-	exit(82);
+	exit(83);
 	return 1;
 }
 
+/****************************************************************************
+ Use only in known safe shell calls (printing).
+****************************************************************************/
+
+int smbrun_no_sanitize(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, False);
+}
+
+/****************************************************************************
+ By default this now sanitizes shell expansion.
+****************************************************************************/
+
+int smbrun(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, True);
+}
 
 /****************************************************************************
 run a command being careful about uid/gid handling and putting the output in
@@ -302,7 +325,7 @@
 #endif
 
 	execl("/bin/sh", "sh", "-c", cmd, NULL);  
-	
+
 	/* not reached */
 	exit(82);
 	return 1;
diff -u -r source-orig/lib/util_str.c source/lib/util_str.c
--- source-orig/lib/util_str.c	2007-02-04 10:59:17.000000000 -0800
+++ source/lib/util_str.c	2007-05-10 09:59:36.718762000 -0700
@@ -2426,3 +2426,165 @@
 	return True;
 }
 
+
+/*******************************************************************
+ Add a shell escape character '\' to any character not in a known list
+ of characters. UNIX charset format.
+*******************************************************************/
+
+#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
+#define INSIDE_DQUOTE_LIST "$`\n\"\\"
+
+char *escape_shell_string(const char *src)
+{
+	size_t srclen = strlen(src);
+	char *ret = SMB_MALLOC((srclen * 2) + 1);
+	char *dest = ret;
+	BOOL in_s_quote = False;
+	BOOL in_d_quote = False;
+	BOOL next_escaped = False;
+
+	if (!ret) {
+		return NULL;
+	}
+
+	while (*src) {
+		size_t c_size = next_mb_char_size(src);
+
+		if (c_size == (size_t)-1) {
+			SAFE_FREE(ret);
+			return NULL;
+		}
+
+		if (c_size > 1) {
+			memcpy(dest, src, c_size);
+			src += c_size;
+			dest += c_size;
+			next_escaped = False;
+			continue;
+		}
+
+		/*
+		 * Deal with backslash escaped state.
+		 * This only lasts for one character.
+		 */
+
+		if (next_escaped) {
+			*dest++ = *src++;
+			next_escaped = False;
+			continue;
+		}
+
+		/*
+		 * Deal with single quote state. The
+		 * only thing we care about is exiting
+		 * this state.
+		 */
+
+		if (in_s_quote) {
+			if (*src == '\'') {
+				in_s_quote = False;
+			}
+			*dest++ = *src++;
+			continue;
+		}
+
+		/* 
+		 * Deal with double quote state. The most
+		 * complex state. We must cope with \, meaning
+		 * possibly escape next char (depending what it
+		 * is), ", meaning exit this state, and possibly
+		 * add an \ escape to any unprotected character
+		 * (listed in INSIDE_DQUOTE_LIST).
+		 */
+
+		if (in_d_quote) {
+			if (*src == '\\') {
+				/* 
+				 * Next character might be escaped.
+				 * We have to peek. Inside double
+				 * quotes only INSIDE_DQUOTE_LIST
+				 * characters are escaped by a \.
+				 */
+
+				char nextchar;
+
+				c_size = next_mb_char_size(&src[1]);
+				if (c_size == (size_t)-1) {
+					SAFE_FREE(ret);
+					return NULL;
+				}
+				if (c_size > 1) {
+					/*
+					 * Don't escape the next char.
+					 * Just copy the \.
+					 */
+					*dest++ = *src++;
+					continue;
+				}
+
+				nextchar = src[1];
+
+				if (nextchar && strchr(INSIDE_DQUOTE_LIST, (int)nextchar)) {
+					next_escaped = True;
+				}
+				*dest++ = *src++;
+				continue;
+			}
+
+			if (*src == '\"') {
+				/* Exit double quote state. */
+				in_d_quote = False;
+				*dest++ = *src++;
+				continue;
+			}
+
+			/*
+			 * We know the character isn't \ or ",
+			 * so escape it if it's any of the other
+			 * possible unprotected characters.
+			 */
+
+	       		if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
+				*dest++ = '\\';
+			}
+			*dest++ = *src++;
+			continue;
+		}
+
+		/* 
+		 * From here to the end of the loop we're
+		 * not in the single or double quote state.
+		 */
+
+		if (*src == '\\') {
+			/* Next character must be escaped. */
+			next_escaped = True;
+			*dest++ = *src++;
+			continue;
+		}
+
+		if (*src == '\'') {
+			/* Go into single quote state. */
+			in_s_quote = True;
+			*dest++ = *src++;
+			continue;
+		}
+
+		if (*src == '\"') {
+			/* Go into double quote state. */
+			in_d_quote = True;
+			*dest++ = *src++;
+			continue;
+		}
+
+		/* Check if we need to escape the character. */
+
+	       	if (!strchr(INCLUDE_LIST, (int)*src)) {
+			*dest++ = '\\';
+		}
+		*dest++ = *src++;
+	}
+	*dest++ = '\0';
+	return ret;
+}
diff -u -r source-orig/printing/print_generic.c source/printing/print_generic.c
--- source-orig/printing/print_generic.c	2007-02-04 10:59:13.000000000 -0800
+++ source/printing/print_generic.c	2007-05-10 09:57:03.292061000 -0700
@@ -58,7 +58,7 @@
 	if ( do_sub && snum != -1 )
 		standard_sub_snum(snum,syscmd,sizeof(syscmd));
 		
-	ret = smbrun(syscmd,outfd);
+	ret = smbrun_no_sanitize(syscmd,outfd);
 
 	DEBUG(3,("Running the command `%s' gave %d\n",syscmd,ret));
 
1	niro	201	Only in source-orig/: configure
2			diff -u -r source-orig/lib/charcnv.c source/lib/charcnv.c
3			--- source-orig/lib/charcnv.c 2006-04-19 19:29:23.000000000 -0700
4			+++ source/lib/charcnv.c 2007-05-10 09:59:49.023262000 -0700
5			@@ -1398,5 +1398,5 @@
6			/* We're hosed - we don't know how big this is... */
7			DEBUG(10,("next_mb_char_size: unknown size at string %s\n", s));
8			conv_silent = False;
9			- return 1;
10			+ return (size_t)-1;
11			}
12			diff -u -r source-orig/lib/smbrun.c source/lib/smbrun.c
13			--- source-orig/lib/smbrun.c 2006-04-19 19:29:23.000000000 -0700
14			+++ source/lib/smbrun.c 2007-05-10 09:57:03.305061000 -0700
15			@@ -55,7 +55,7 @@
16			outfd (or discard it if outfd is NULL).
17			****************************************************************************/
18
19			-int smbrun(const char cmd, int outfd)
20			+static int smbrun_internal(const char cmd, int outfd, BOOL sanitize)
21			{
22			pid_t pid;
23			uid_t uid = current_user.ut.uid;
24			@@ -173,13 +173,36 @@
25			}
26			#endif
27
28			- execl("/bin/sh","sh","-c",cmd,NULL);
29			+ {
30			+ const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
31			+ if (!newcmd) {
32			+ exit(82);
33			+ }
34			+ execl("/bin/sh","sh","-c",newcmd,NULL);
35			+ }
36
37			/* not reached */
38			- exit(82);
39			+ exit(83);
40			return 1;
41			}
42
43			+/****************************************************************************
44			+ Use only in known safe shell calls (printing).
45			+****************************************************************************/
46			+
47			+int smbrun_no_sanitize(const char cmd, int outfd)
48			+{
49			+ return smbrun_internal(cmd, outfd, False);
50			+}
51			+
52			+/****************************************************************************
53			+ By default this now sanitizes shell expansion.
54			+****************************************************************************/
55			+
56			+int smbrun(const char cmd, int outfd)
57			+{
58			+ return smbrun_internal(cmd, outfd, True);
59			+}
60
61			/****************************************************************************
62			run a command being careful about uid/gid handling and putting the output in
63			@@ -302,7 +325,7 @@
64			#endif
65
66			execl("/bin/sh", "sh", "-c", cmd, NULL);
67			-
68			+
69			/* not reached */
70			exit(82);
71			return 1;
72			diff -u -r source-orig/lib/util_str.c source/lib/util_str.c
73			--- source-orig/lib/util_str.c 2007-02-04 10:59:17.000000000 -0800
74			+++ source/lib/util_str.c 2007-05-10 09:59:36.718762000 -0700
75			@@ -2426,3 +2426,165 @@
76			return True;
77			}
78
79			+
80			+/*******************************************************************
81			+ Add a shell escape character '\' to any character not in a known list
82			+ of characters. UNIX charset format.
83			+*******************************************************************/
84			+
85			+#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
86			+#define INSIDE_DQUOTE_LIST "$`\n\"\\"
87			+
88			+char escape_shell_string(const char src)
89			+{
90			+ size_t srclen = strlen(src);
91			+ char ret = SMB_MALLOC((srclen 2) + 1);
92			+ char *dest = ret;
93			+ BOOL in_s_quote = False;
94			+ BOOL in_d_quote = False;
95			+ BOOL next_escaped = False;
96			+
97			+ if (!ret) {
98			+ return NULL;
99			+ }
100			+
101			+ while (*src) {
102			+ size_t c_size = next_mb_char_size(src);
103			+
104			+ if (c_size == (size_t)-1) {
105			+ SAFE_FREE(ret);
106			+ return NULL;
107			+ }
108			+
109			+ if (c_size > 1) {
110			+ memcpy(dest, src, c_size);
111			+ src += c_size;
112			+ dest += c_size;
113			+ next_escaped = False;
114			+ continue;
115			+ }
116			+
117			+ /*
118			+ * Deal with backslash escaped state.
119			+ * This only lasts for one character.
120			+ */
121			+
122			+ if (next_escaped) {
123			+ dest++ = src++;
124			+ next_escaped = False;
125			+ continue;
126			+ }
127			+
128			+ /*
129			+ * Deal with single quote state. The
130			+ * only thing we care about is exiting
131			+ * this state.
132			+ */
133			+
134			+ if (in_s_quote) {
135			+ if (*src == '\'') {
136			+ in_s_quote = False;
137			+ }
138			+ dest++ = src++;
139			+ continue;
140			+ }
141			+
142			+ /*
143			+ * Deal with double quote state. The most
144			+ * complex state. We must cope with \, meaning
145			+ * possibly escape next char (depending what it
146			+ * is), ", meaning exit this state, and possibly
147			+ * add an \ escape to any unprotected character
148			+ * (listed in INSIDE_DQUOTE_LIST).
149			+ */
150			+
151			+ if (in_d_quote) {
152			+ if (*src == '\\') {
153			+ /*
154			+ * Next character might be escaped.
155			+ * We have to peek. Inside double
156			+ * quotes only INSIDE_DQUOTE_LIST
157			+ * characters are escaped by a \.
158			+ */
159			+
160			+ char nextchar;
161			+
162			+ c_size = next_mb_char_size(&src[1]);
163			+ if (c_size == (size_t)-1) {
164			+ SAFE_FREE(ret);
165			+ return NULL;
166			+ }
167			+ if (c_size > 1) {
168			+ /*
169			+ * Don't escape the next char.
170			+ * Just copy the \.
171			+ */
172			+ dest++ = src++;
173			+ continue;
174			+ }
175			+
176			+ nextchar = src[1];
177			+
178			+ if (nextchar && strchr(INSIDE_DQUOTE_LIST, (int)nextchar)) {
179			+ next_escaped = True;
180			+ }
181			+ dest++ = src++;
182			+ continue;
183			+ }
184			+
185			+ if (*src == '\"') {
186			+ /* Exit double quote state. */
187			+ in_d_quote = False;
188			+ dest++ = src++;
189			+ continue;
190			+ }
191			+
192			+ /*
193			+ * We know the character isn't \ or ",
194			+ * so escape it if it's any of the other
195			+ * possible unprotected characters.
196			+ */
197			+
198			+ if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
199			+ *dest++ = '\\';
200			+ }
201			+ dest++ = src++;
202			+ continue;
203			+ }
204			+
205			+ /*
206			+ * From here to the end of the loop we're
207			+ * not in the single or double quote state.
208			+ */
209			+
210			+ if (*src == '\\') {
211			+ /* Next character must be escaped. */
212			+ next_escaped = True;
213			+ dest++ = src++;
214			+ continue;
215			+ }
216			+
217			+ if (*src == '\'') {
218			+ /* Go into single quote state. */
219			+ in_s_quote = True;
220			+ dest++ = src++;
221			+ continue;
222			+ }
223			+
224			+ if (*src == '\"') {
225			+ /* Go into double quote state. */
226			+ in_d_quote = True;
227			+ dest++ = src++;
228			+ continue;
229			+ }
230			+
231			+ /* Check if we need to escape the character. */
232			+
233			+ if (!strchr(INCLUDE_LIST, (int)*src)) {
234			+ *dest++ = '\\';
235			+ }
236			+ dest++ = src++;
237			+ }
238			+ *dest++ = '\0';
239			+ return ret;
240			+}
241			diff -u -r source-orig/printing/print_generic.c source/printing/print_generic.c
242			--- source-orig/printing/print_generic.c 2007-02-04 10:59:13.000000000 -0800
243			+++ source/printing/print_generic.c 2007-05-10 09:57:03.292061000 -0700
244			@@ -58,7 +58,7 @@
245			if ( do_sub && snum != -1 )
246			standard_sub_snum(snum,syscmd,sizeof(syscmd));
247
248			- ret = smbrun(syscmd,outfd);
249			+ ret = smbrun_no_sanitize(syscmd,outfd);
250
251			DEBUG(3,("Running the command `%s' gave %d\n",syscmd,ret));
252