Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: openbsd.org > bugs > 03 > 061559.html (Request Expert openbsd.org Support)

user/3310: enhancement to pax(1): -0

From: David Leonard <d(at)adaptive-enterprises.com.au>
Date: Wed Jun 11 2003 - 10:28:48 EDT


>Number: 3310
>Category: user
>Synopsis: enhancement to pax(1): -0
>Confidential: no
         

	System      : OpenBSD 3.3
	Architecture: OpenBSD.sparc
	Machine     : sparc

>Description:

	When using find(1)/pax(1) for general backups, it is possible for
	a malicious user to exploit pax's newline-termination by inserting
	newlines into pathnames. (For example, adding sensitive files 
	that you may not want written to user backup tapes/cds.)

	This is a change request to add a -0 flag to pax(1), similar to
	the -print0 function of find(1) and the -0 flag for xargs(1).

	(The patch below implements this functionality.)

	(if this is a dup, please close. mail is very dodgy here)

>How-To-Repeat:
        

>Fix:

cvs server: Diffing .
Index: extern.h


RCS file: /openbsd/cvs/src/bin/pax/extern.h,v retrieving revision 1.24
diff -u -u -r1.24 extern.h 
--- extern.h	18 Oct 2002 15:38:11 -0000	1.24
+++ extern.h	17 May 2003 04:55:37 -0000

@@ -226,6 +226,7 @@ 
 extern int Xflag;
 extern int Yflag;
 extern int Zflag;

+extern int zeroflag; 
 extern int vfpart;
 extern int patime;
 extern int pmtime;

Index: ftree.c

RCS file: /openbsd/cvs/src/bin/pax/ftree.c,v retrieving revision 1.21
diff -u -u -r1.21 ftree.c 
--- ftree.c	16 Oct 2002 19:20:02 -0000	1.21
+++ ftree.c	17 May 2003 04:55:37 -0000
@@ -84,6 +84,7 @@
 static int ftree_skip;			/* when set skip to next file arg */

 static int ftree_arg(void);
+static char *getpathname(char *, int);  

 /*

  • ftree_start() @@ -263,7 +264,6 @@ static int ftree_arg(void) { - char *pt; 
 	/*
 	 * close off the current file tree
@@ -283,10 +283,8 @@
 			 * the user didn't supply any args, get the file trees
 			 * to process from stdin;
 			 */
-			if (fgets(farray[0], PAXPATHLEN+1, stdin) == NULL)
+			if (getpathname(farray[0], PAXPATHLEN+1) == NULL)
 				return(-1);
-			if ((pt = strchr(farray[0], '\n')) != NULL)
-				*pt = '\0';
 		} else {
 			/*
 			 * the user supplied the file args as arguments to pax
@@ -502,4 +500,56 @@
 	arcn->nlen = strlcpy(arcn->name, ftent->fts_path, sizeof(arcn->name));
 	arcn->org_name = ftent->fts_path;
 	return(0);
+}
+
+/*
+ * getpathname()
+ *	Reads a pathname from stdin, handling null- or newline-termination.
+ * Return:
+ *	NULL at end of file, otherwise the null-terminated buffer.
+ */
+
+static char *
+getpathname(buf, buflen)
+	char *buf;
+	int buflen;
+{
+	char *pt;
+	int i, ch;
+
+	if (zeroflag) {

Do you need help?X

+		/*
+		 * Read a null-terminated pathname, being 
+		 * especially paranoid about proper termination
+		 * and pathname length.
+		 */
+		i = 0;
+		while ((ch = getchar()) != EOF) {
+			if (ch == '\0') {
+			    buf[i] = '\0';
+			    return buf;
+			}
+			if (i < buflen - 1)
+			    buf[i++] = ch;
+			else {
+			    /* Too long - skip this path */
+			    buf[i] = '\0';
+			    paxwarn(1, "Ignoring too-long pathname: %s", buf);
+			    while ((ch = getchar()) != '\0')
+				if (ch == EOF)
+				    return(NULL);
+			    i = 0;
+			}
+		}
+		/* Ignore truncated/corrupt pathnames at EOF. */
+		if (i > 0)
+			paxwarn(1,"Ignoring unterminated pathname at EOF");
+		return NULL;
+	} else {
+		if (fgets(buf, buflen, stdin) == NULL)
+			return(NULL);
+		if ((pt = strchr(buf, '\n')) != NULL)
+			*pt = '\0';
+		return buf;
+	}

 }
Index: gen_subs.c

RCS file: /openbsd/cvs/src/bin/pax/gen_subs.c,v retrieving revision 1.15
diff -u -u -r1.15 gen_subs.c 
--- gen_subs.c	16 Oct 2002 19:20:02 -0000	1.15
+++ gen_subs.c	17 May 2003 04:55:37 -0000
@@ -91,8 +91,13 @@
 	 * if not verbose, just print the file name
 	 */
 	if (!vflag) {
-		safe_print(arcn->name, fp);
-		(void)putc('\n', fp);
+		if (zeroflag) {
+			(void)fputs(arcn->name, fp);
+			(void)putc('\0', fp);
+		} else {
+			safe_print(arcn->name, fp);
+			(void)putc('\n', fp);
+		}
 		(void)fflush(fp);
 		return;
 	}

Index: options.c

RCS file: /openbsd/cvs/src/bin/pax/options.c,v retrieving revision 1.55
diff -u -u -r1.55 options.c 
--- options.c	18 Oct 2002 15:38:11 -0000	1.55
+++ options.c	17 May 2003 04:55:37 -0000
@@ -198,7 +198,7 @@
 	/*
 	 * process option flags
 	 */
-	while ((c=getopt(argc,argv,"ab:cdf:iklno:p:rs:tuvwx:zB:DE:G:HLPT:U:XYZ"))
+	while ((c=getopt(argc,argv,"ab:cdf:iklno:p:rs:tuvwx:zB:DE:G:HLPT:U:XYZ0"))
 	    != -1) {
 		switch (c) {
 		case 'a':
@@ -508,6 +508,14 @@
 			 */
 			Zflag = 1;
 			flg |= CZF;
+			break;
+		case '0':
+			/*
+			 * Use \0 as pathname terminator.
+			 * (For use with the -print0 option of find(1).)

Do you need more help?X

+			 */
+			zeroflag = 1;
+			flg |= C0F;
 			break;
 		default:
 			pax_usage();

Index: options.h

RCS file: /openbsd/cvs/src/bin/pax/options.h,v retrieving revision 1.2
diff -u -u -r1.2 options.h 
--- options.h	23 Jun 1996 14:20:37 -0000	1.2
+++ options.h	17 May 2003 04:55:37 -0000
@@ -88,12 +88,13 @@
 #define	CXF	0x08000000
 #define	CYF	0x10000000	/* nonstandard extension */
 #define	CZF	0x20000000	/* nonstandard extension */
+#define	C0F	0x40000000	/* nonstandard extension */
 
 /*
  * ascii string indexed by bit position above (alter the above and you must
  • alter this string) used to tell the user what flags caused us to complain */ -#define FLGCH "abcdfiklnoprstuvwxBDEGHLPTUXYZ" +#define FLGCH "abcdfiklnoprstuvwxBDEGHLPTUXYZ0"

 /*

  • legal pax operation bit patterns Index: pax.1
    RCS file: /openbsd/cvs/src/bin/pax/pax.1,v retrieving revision 1.34 diff -u -u -r1.34 pax.1 --- pax.1 18 Oct 2002 15:38:11 -0000 1.34 +++ pax.1 17 May 2003 04:55:37 -0000 @@ -46,7 +46,7 @@ .Nd read and write file archives and copy directory hierarchies .Sh SYNOPSIS .Nm pax -.Op Fl cdnvz +.Op Fl 0cdnvz .Bk -words .Op Fl f Ar archive .Ek @@ -109,7 +109,7 @@ .Op Ar pattern ... .Nm pax .Fl w -.Op Fl dituvzHLPX +.Op Fl 0dituvzHLPX .Bk -words .Op Fl b Ar blocksize .Ek @@ -152,7 +152,7 @@ .Nm pax .Fl r .Fl w -.Op Fl diklntuvDHLPXYZ +.Op Fl 0diklntuvDHLPXYZ .Bk -words .Op Fl p Ar string .Ar ... @@ -384,6 +384,22 @@ Tape drives in particular are more likely to not support an append operation. An archive stored in a regular file system file or on a disk device will usually support an append operation. +.It Fl 0 +Use the NUL +.Pq Ql \e0 +character as a pathname terminator, instead of newline +.Pq Ql \en . +This applies only to the pathnames read from standard input in +the write and copy modes, +and to the pathnames written to standard output in list mode. +This option is expected to be used in concert with the +.Fl print0 +function in +.Xr find 1 +or the +.Fl 0 +flag in +.Xr xargs 1 . .It Fl b Ar blocksize When .Em writing Index: pax.c
    RCS file: /openbsd/cvs/src/bin/pax/pax.c,v retrieving revision 1.22 diff -u -u -r1.22 pax.c --- pax.c 16 Oct 2002 19:20:02 -0000 1.22 +++ pax.c 17 May 2003 04:55:37 -0000 @@ -95,6 +95,7 @@ int Xflag; /* archive files with same device id only */ int Yflag; /* same as Dflg except after name mode */ int Zflag; /* same as uflg except after name mode */ +int zeroflag; /* use \0 as pathname terminator */ int vfpart; /* is partial verbose output in progress */ int patime = 1; /* preserve file access time */ int pmtime = 1; /* preserve file modification times */

>Release-Note:
Received on Wed Jun 11 14:18:54 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:58 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library