Date: Thu, 10 Sep 2015 22:45:14 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: freebsd-hackers@freebsd.org Subject: D3614 wordexp(): reliable WRDE_NOCMD by extending sh Message-ID: <20150910204514.GB24907@stack.nl>
next in thread | raw e-mail | index | archive | help
It appears that there is some wordexp() use that may depend on security of WRDE_NOCMD. The current wordexp() allows arbitrary command execution even if WRDE_NOCMD is set, since shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. This diff fixes this by adding some functionality to sh (as opposed to implementing a full shell parser in libc). The new functionality is an undocumented builtin utility freebsd_wordexp that invokes the parser and expansion code. The old undocumented builtin utility wordexp may be removed at some point. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", <pipe with words>); Apart from implementing wordexp(), freebsd_wordexp is also useful to fuzz more of sh than can be reached via sh -n. I fixed two bugs in the expansion code via fuzzing (already committed as r287081 and r287148). I may use this freebsd_ prefix more often for non-standard functionality. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters <newline> | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. The diff is at https://reviews.freebsd.org/D3614 -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150910204514.GB24907>