diff options
author | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
commit | 676599b36a92f3c201c5682ee7a5caddd9f370a4 (patch) | |
tree | 6860752c26ccab76ee9db5e60ff465d1edf25feb /gshadow/tst-putsgent.c | |
parent | b0f81637d5bda47be93bac34b68f429a12979321 (diff) | |
download | glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.gz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.xz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.zip |
Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'.
Diffstat (limited to 'gshadow/tst-putsgent.c')
-rw-r--r-- | gshadow/tst-putsgent.c | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/gshadow/tst-putsgent.c b/gshadow/tst-putsgent.c new file mode 100644 index 0000000000..5b0f381bc5 --- /dev/null +++ b/gshadow/tst-putsgent.c @@ -0,0 +1,168 @@ +/* Test for processing of invalid gshadow entries. [BZ #18724] + Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <gshadow.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +static bool errors; + +static void +check (struct sgrp e, const char *expected) +{ + char *buf; + size_t buf_size; + FILE *f = open_memstream (&buf, &buf_size); + + if (f == NULL) + { + printf ("open_memstream: %m\n"); + errors = true; + return; + } + + int ret = putsgent (&e, f); + + if (expected == NULL) + { + if (ret == -1) + { + if (errno != EINVAL) + { + printf ("putsgent: unexpected error code: %m\n"); + errors = true; + } + } + else + { + printf ("putsgent: unexpected success (\"%s\")\n", e.sg_namp); + errors = true; + } + } + else + { + /* Expect success. */ + size_t expected_length = strlen (expected); + if (ret == 0) + { + long written = ftell (f); + + if (written <= 0 || fflush (f) < 0) + { + printf ("stream error: %m\n"); + errors = true; + } + else if (buf[written - 1] != '\n') + { + printf ("FAILED: \"%s\" without newline\n", expected); + errors = true; + } + else if (strncmp (buf, expected, written - 1) != 0 + || written - 1 != expected_length) + { + printf ("FAILED: \"%s\" (%ld), expected \"%s\" (%zu)\n", + buf, written - 1, expected, expected_length); + errors = true; + } + } + else + { + printf ("FAILED: putsgent (expected \"%s\"): %m\n", expected); + errors = true; + } + } + + fclose (f); + free (buf); +} + +static int +do_test (void) +{ + check ((struct sgrp) { + .sg_namp = (char *) "root", + }, + "root:::"); + check ((struct sgrp) { + .sg_namp = (char *) "root", + .sg_passwd = (char *) "password", + }, + "root:password::"); + check ((struct sgrp) { + .sg_namp = (char *) "root", + .sg_passwd = (char *) "password", + .sg_adm = (char *[]) {(char *) "adm1", (char *) "adm2", NULL}, + .sg_mem = (char *[]) {(char *) "mem1", (char *) "mem2", NULL}, + }, + "root:password:adm1,adm2:mem1,mem2"); + + /* Bad values. */ + { + static const char *const bad_strings[] = { + ":", + "\n", + ":bad", + "\nbad", + "b:ad", + "b\nad", + "bad:", + "bad\n", + "b:a\nd", + ",", + "\n,", + ":,", + ",bad", + "b,ad", + "bad,", + NULL + }; + for (const char *const *bad = bad_strings; *bad != NULL; ++bad) + { + char *members[] + = {(char *) "first", (char *) *bad, (char *) "last", NULL}; + if (strpbrk (*bad, ":\n") != NULL) + { + check ((struct sgrp) { + .sg_namp = (char *) *bad, + }, NULL); + check ((struct sgrp) { + .sg_namp = (char *) "root", + .sg_passwd = (char *) *bad, + }, NULL); + } + check ((struct sgrp) { + .sg_namp = (char *) "root", + .sg_passwd = (char *) "password", + .sg_adm = members + }, NULL); + check ((struct sgrp) { + .sg_namp = (char *) "root", + .sg_passwd = (char *) "password", + .sg_mem = members + }, NULL); + } + } + + return errors; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |