The plugin/filter short name detection is very liberal, reserving only
'.' and '/'. Thus, at least in theory, short plugin names containing
almost arbitrary symbols and characters are permitted.
Backslash ought to have been reserved when we added Windows support.
We should probably reserve more characters, but in this commit I only
reserve:
* backslash (ie. directory separator on Windows)
* ':' and ';' (common path separators)
* '=' (used in nbdkit parameters)
* space and comma (commonly used to separate lists)
* non-printable ASCII characters
Also DIR_SEPARATOR_STR, but that's likely to be already covered by the
other tests so probably does nothing here.
This commit is mainly about tightening up corner cases with possible
security implications, for example if you managed to trick a program
to invoke 'nbdkit "plugin param"' that might have an ambiguous parsing
that you could use to your advantage. It should have no effect on
normal, non-adversarial usage.
---
server/options.h | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/server/options.h b/server/options.h
index 7d0730bae7..8b1bd679e9 100644
--- a/server/options.h
+++ b/server/options.h
@@ -117,7 +117,23 @@ static const struct option long_options[] = {
static inline bool
is_short_name (const char *filename)
{
- return strchr (filename, '.') == NULL && strchr (filename, '/') == NULL;
+ const size_t n = strlen (filename);
+ size_t i;
+
+ for (i = 0; i < n; ++i) {
+ switch (filename[i]) {
+ case '\0'...31: case 127: /* non-printable ASCII */
+ case '/': case '\\': /* directory separators */
+ case ':': case ';': /* path separators */
+ case ' ':
+ case '.':
+ case ',':
+ case '=':
+ return false;
+ }
+ }
+
+ return strstr (filename, DIR_SEPARATOR_STR) == NULL;
}
#endif /* NBDKIT_OPTIONS_H */
--
2.44.0
_______________________________________________
Libguestfs mailing list -- guestfs@lists.libguestfs.org
To unsubscribe send an email to guestfs-le...@lists.libguestfs.org
