From owner-freebsd-hackers@freebsd.org Thu Sep 10 20:45:18 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CDC0A009D7 for ; Thu, 10 Sep 2015 20:45:18 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mailhost.stack.nl", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 66E2A1079 for ; Thu, 10 Sep 2015 20:45:18 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id F0AD0359319 for ; Thu, 10 Sep 2015 22:45:14 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id CC79728494; Thu, 10 Sep 2015 22:45:14 +0200 (CEST) Date: Thu, 10 Sep 2015 22:45:14 +0200 From: Jilles Tjoelker To: freebsd-hackers@freebsd.org Subject: D3614 wordexp(): reliable WRDE_NOCMD by extending sh Message-ID: <20150910204514.GB24907@stack.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 20:45:18 -0000 It appears that there is some wordexp() use that may depend on security of WRDE_NOCMD. The current wordexp() allows arbitrary command execution even if WRDE_NOCMD is set, since shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. This diff fixes this by adding some functionality to sh (as opposed to implementing a full shell parser in libc). The new functionality is an undocumented builtin utility freebsd_wordexp that invokes the parser and expansion code. The old undocumented builtin utility wordexp may be removed at some point. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", ); Apart from implementing wordexp(), freebsd_wordexp is also useful to fuzz more of sh than can be reached via sh -n. I fixed two bugs in the expansion code via fuzzing (already committed as r287081 and r287148). I may use this freebsd_ prefix more often for non-standard functionality. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. The diff is at https://reviews.freebsd.org/D3614 -- Jilles Tjoelker