mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-06-27 23:08:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Sanity-check set-id interpreter script paths (#1029)

Browse source
This commit is contained in:
Jōshin 2023-12-31 10:46:27 -05:00 committed by GitHub
parent 14fe83facd
commit 10b4693e37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 41 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

50
libc/calls/getprogramexecutablename.greg.c
View file

@ -25,11 +25,11 @@
#include "libc/errno.h" #include "libc/errno.h"
#include "libc/fmt/libgen.h" #include "libc/fmt/libgen.h"
#include "libc/intrin/getenv.internal.h" #include "libc/intrin/getenv.internal.h"
#include "libc/serialize.h"
#include "libc/limits.h" #include "libc/limits.h"
#include "libc/macros.internal.h" #include "libc/macros.internal.h"
#include "libc/nt/runtime.h" #include "libc/nt/runtime.h"
#include "libc/runtime/runtime.h" #include "libc/runtime/runtime.h"
#include "libc/serialize.h"
#include "libc/str/str.h" #include "libc/str/str.h"
#include "libc/sysv/consts/at.h" #include "libc/sysv/consts/at.h"
#include "libc/sysv/consts/ok.h" #include "libc/sysv/consts/ok.h"
@ -39,6 +39,13 @@
#define KERN_PROC_PATHNAME_FREEBSD 12 #define KERN_PROC_PATHNAME_FREEBSD 12
#define KERN_PROC_PATHNAME_NETBSD 5 #define KERN_PROC_PATHNAME_NETBSD 5
#define DevFd() (IsBsd() ? "/dev/fd/" : IsLinux() ? "/proc/self/fd/" : 0)
#define StrlenDevFd() \
((IsBsd() ? sizeof("/dev/fd/") \
: IsLinux() ? sizeof("/proc/self/fd/") \
: 0) - \
1)
static struct { static struct {
atomic_uint once; atomic_uint once;
union { union {
@ -54,11 +61,21 @@ static inline int IsAlpha(int c) {
static inline int AllNumDot(const char *s) { static inline int AllNumDot(const char *s) {
while (true) { while (true) {
switch (*s++) { switch (*s++) {
default: return 0; default:
case 0: return 1; return 0;
case '0': case '1': case '2': case '3': case '4': case 0:
case '5': case '6': case '7': case '8': case '9': case '.': return 1;
; /* continue */ case '0':
case '1':
case '2':
case '3':
case '4':
case '5':
case '6':
case '7':
case '8':
case '9':
case '.':; /* continue */
} }
} }
} }
@ -68,8 +85,7 @@ static inline int AllNumDot(const char *s) {
static int OldApeLoader(char *s) { static int OldApeLoader(char *s) {
char *b; char *b;
return !strcmp(s, "/usr/bin/ape") || return !strcmp(s, "/usr/bin/ape") ||
(!strncmp((b = basename(s)), ".ape-", 5) && (!strncmp((b = basename(s)), ".ape-", 5) && AllNumDot(b + 5));
AllNumDot(b + 5));
} }
// if q exists then turn it into an absolute path. we also try adding // if q exists then turn it into an absolute path. we also try adding
@ -134,11 +150,27 @@ static inline void InitProgramExecutableNameImpl(void) {
return; return;
} }
// loader passed us a path. it may be relative. // see if the loader passed us a path.
if (__program_executable_name) { if (__program_executable_name) {
if (issetugid()) {
/* we are running as a set-id interpreter script. this is highly unusual.
it means either someone installed their ape loader set-id, or they are
running a system that supports secure set-id interpreter scripts via a
/dev/fd/ path. check for the latter and allow that. otherwise, use the
empty string to obviate the TOCTOU problem between loader and binary.
*/
if (!(b = DevFd()) ||
0 != strncmp(b, __program_executable_name, StrlenDevFd()) ||
!__program_executable_name[StrlenDevFd()] ||
__program_executable_name[StrlenDevFd()] == '.' ||
strchr(__program_executable_name + StrlenDevFd(), '/')) {
goto UseEmpty;
}
}
if (*__program_executable_name == '/') { if (*__program_executable_name == '/') {
return; return;
} }
// loader passed us a relative path; prepend cwd.
if (TryPath(__program_executable_name, 0)) { if (TryPath(__program_executable_name, 0)) {
goto UseBuf; goto UseBuf;
} }