Avoid symlink attack in localcharset module. Use fcntl_h.m4 from gnulib.

6 files changed, 220 insertions, 62 deletions

diff --git a/gettext-runtime/intl/ChangeLog b/gettext-runtime/intl/ChangeLog
index 0fefa04..6dd1b7f 100644
--- a/gettext-runtime/intl/ChangeLog
+++ b/gettext-runtime/intl/ChangeLog
@@ -1,3 +1,11 @@
+2009-10-18  Bruno Haible  <bruno@clisp.org>
+
+	Avoid symlink attack in localcharset module.
+	* localcharset.c: Include <fcntl.h>, <unistd.h>.
+	(O_NOFOLLOW): Define fallback.
+	(get_charset_aliases): Don't open the file if it is a symbolic link.
+	Reported by Fergal Glynn <fglynn@veracode.com>.
+
 2009-08-20  Eric Blake  <ebb9@byu.net>
 
 	* vasnprintf.c (decimal_point_char): Avoid warning on old-style
diff --git a/gettext-runtime/intl/localcharset.c b/gettext-runtime/intl/localcharset.c
index 434fc7c..e808967 100644
--- a/gettext-runtime/intl/localcharset.c
+++ b/gettext-runtime/intl/localcharset.c
@@ -24,6 +24,7 @@
 /* Specification.  */
 #include "localcharset.h"
 
+#include <fcntl.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
@@ -45,6 +46,7 @@
 #endif
 
 #if !defined WIN32_NATIVE
+# include <unistd.h>
 # if HAVE_LANGINFO_CODESET
 #  include <langinfo.h>
 # else
@@ -76,6 +78,11 @@
 # include "configmake.h"
 #endif
 
+/* Define O_NOFOLLOW to 0 on platforms where it does not exist.  */
+#ifndef O_NOFOLLOW
+# define O_NOFOLLOW 0
+#endif
+
 #if defined _WIN32 || defined __WIN32__ || defined __CYGWIN__ || defined __EMX__ || defined __DJGPP__
   /* Win32, Cygwin, OS/2, DOS */
 # define ISSLASH(C) ((C) == '/' || (C) == '\\')
@@ -118,7 +125,6 @@ get_charset_aliases (void)
   if (cp == NULL)
     {
 #if !(defined DARWIN7 || defined VMS || defined WIN32_NATIVE || defined __CYGWIN__)
-      FILE *fp;
       const char *dir;
       const char *base = "charset.alias";
       char *file_name;
@@ -144,77 +150,105 @@ get_charset_aliases (void)
 	  }
       }
 
-      if (file_name == NULL || (fp = fopen (file_name, "r")) == NULL)
-	/* Out of memory or file not found, treat it as empty.  */
+      if (file_name == NULL)
+	/* Out of memory.  Treat the file as empty.  */
 	cp = "";
       else
 	{
-	  /* Parse the file's contents.  */
-	  char *res_ptr = NULL;
-	  size_t res_size = 0;
-
-	  for (;;)
+	  int fd;
+
+	  /* Open the file.  Reject symbolic links on platforms that support
+	     O_NOFOLLOW.  This is a security feature.  Without it, an attacker
+	     could retrieve parts of the contents (namely, the tail of the
+	     first line that starts with "* ") of an arbitrary file by placing
+	     a symbolic link to that file under the name "charset.alias" in
+	     some writable directory and defining the environment variable
+	     CHARSETALIASDIR to point to that directory.  */
+	  fd = open (file_name,
+		     O_RDONLY | (HAVE_WORKING_O_NOFOLLOW ? O_NOFOLLOW : 0));
+	  if (fd < 0)
+	    /* File not found.  Treat it as empty.  */
+	    cp = "";
+	  else
 	    {
-	      int c;
-	      char buf1[50+1];
-	      char buf2[50+1];
-	      size_t l1, l2;
-	      char *old_res_ptr;
-
-	      c = getc (fp);
-	      if (c == EOF)
-		break;
-	      if (c == '\n' || c == ' ' || c == '\t')
-		continue;
-	      if (c == '#')
-		{
-		  /* Skip comment, to end of line.  */
-		  do
-		    c = getc (fp);
-		  while (!(c == EOF || c == '\n'));
-		  if (c == EOF)
-		    break;
-		  continue;
-		}
-	      ungetc (c, fp);
-	      if (fscanf (fp, "%50s %50s", buf1, buf2) < 2)
-		break;
-	      l1 = strlen (buf1);
-	      l2 = strlen (buf2);
-	      old_res_ptr = res_ptr;
-	      if (res_size == 0)
+	      FILE *fp;
+
+	      fp = fdopen (fd, "r");
+	      if (fp == NULL)
 		{
-		  res_size = l1 + 1 + l2 + 1;
-		  res_ptr = (char *) malloc (res_size + 1);
+		  /* Out of memory.  Treat the file as empty.  */
+		  close (fd);
+		  cp = "";
 		}
 	      else
 		{
-		  res_size += l1 + 1 + l2 + 1;
-		  res_ptr = (char *) realloc (res_ptr, res_size + 1);
+		  /* Parse the file's contents.  */
+		  char *res_ptr = NULL;
+		  size_t res_size = 0;
+
+		  for (;;)
+		    {
+		      int c;
+		      char buf1[50+1];
+		      char buf2[50+1];
+		      size_t l1, l2;
+		      char *old_res_ptr;
+
+		      c = getc (fp);
+		      if (c == EOF)
+			break;
+		      if (c == '\n' || c == ' ' || c == '\t')
+			continue;
+		      if (c == '#')
+			{
+			  /* Skip comment, to end of line.  */
+			  do
+			    c = getc (fp);
+			  while (!(c == EOF || c == '\n'));
+			  if (c == EOF)
+			    break;
+			  continue;
+			}
+		      ungetc (c, fp);
+		      if (fscanf (fp, "%50s %50s", buf1, buf2) < 2)
+			break;
+		      l1 = strlen (buf1);
+		      l2 = strlen (buf2);
+		      old_res_ptr = res_ptr;
+		      if (res_size == 0)
+			{
+			  res_size = l1 + 1 + l2 + 1;
+			  res_ptr = (char *) malloc (res_size + 1);
+			}
+		      else
+			{
+			  res_size += l1 + 1 + l2 + 1;
+			  res_ptr = (char *) realloc (res_ptr, res_size + 1);
+			}
+		      if (res_ptr == NULL)
+			{
+			  /* Out of memory. */
+			  res_size = 0;
+			  if (old_res_ptr != NULL)
+			    free (old_res_ptr);
+			  break;
+			}
+		      strcpy (res_ptr + res_size - (l2 + 1) - (l1 + 1), buf1);
+		      strcpy (res_ptr + res_size - (l2 + 1), buf2);
+		    }
+		  fclose (fp);
+		  if (res_size == 0)
+		    cp = "";
+		  else
+		    {
+		      *(res_ptr + res_size) = '\0';
+		      cp = res_ptr;
+		    }
 		}
-	      if (res_ptr == NULL)
-		{
-		  /* Out of memory. */
-		  res_size = 0;
-		  if (old_res_ptr != NULL)
-		    free (old_res_ptr);
-		  break;
-		}
-	      strcpy (res_ptr + res_size - (l2 + 1) - (l1 + 1), buf1);
-	      strcpy (res_ptr + res_size - (l2 + 1), buf2);
-	    }
-	  fclose (fp);
-	  if (res_size == 0)
-	    cp = "";
-	  else
-	    {
-	      *(res_ptr + res_size) = '\0';
-	      cp = res_ptr;
 	    }
-	}
 
-      if (file_name != NULL)
-	free (file_name);
+	  free (file_name);
+	}
 
 #else
 
diff --git a/gettext-runtime/m4/ChangeLog b/gettext-runtime/m4/ChangeLog
index 8d699b9..f854b70 100644
--- a/gettext-runtime/m4/ChangeLog
+++ b/gettext-runtime/m4/ChangeLog
@@ -1,3 +1,9 @@
+2009-10-18  Bruno Haible  <bruno@clisp.org>
+
+	* fcntl_h.m4: New file, from gnulib.
+	* intl.m4 (AM_INTL_SUBDIR): Require gl_FCNTL_O_FLAGS.
+	* Makefile.am (EXTRA_DIST): Add fcntl_h.m4.
+
 2009-08-14  Bruno Haible  <bruno@clisp.org>
 
 	* eoverflow.m4: Remove file. Obsoleted by gnulib's 'errno' module.
diff --git a/gettext-runtime/m4/Makefile.am b/gettext-runtime/m4/Makefile.am
index 5dcfc68..ccf0f2e 100644
--- a/gettext-runtime/m4/Makefile.am
+++ b/gettext-runtime/m4/Makefile.am
@@ -5,6 +5,7 @@
 EXTRA_DIST = README \
 ansi-c++.m4 \
 codeset.m4 \
+fcntl_h.m4 \
 gettext.m4 \
 glibc2.m4 \
 glibc21.m4 \
diff --git a/gettext-runtime/m4/fcntl_h.m4 b/gettext-runtime/m4/fcntl_h.m4
new file mode 100644
index 0000000..223fa48
--- /dev/null
+++ b/gettext-runtime/m4/fcntl_h.m4
@@ -0,0 +1,108 @@
+# serial 6
+# Configure fcntl.h.
+dnl Copyright (C) 2006, 2007, 2009 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl Written by Paul Eggert.
+
+AC_DEFUN([gl_FCNTL_H],
+[
+  AC_REQUIRE([gl_FCNTL_H_DEFAULTS])
+  AC_REQUIRE([gl_FCNTL_O_FLAGS])
+  gl_CHECK_NEXT_HEADERS([fcntl.h])
+  FCNTL_H='fcntl.h'
+  AC_SUBST([FCNTL_H])
+])
+
+# Test whether the flags O_NOATIME and O_NOFOLLOW actually work.
+# Define HAVE_WORKING_O_NOATIME to 1 if O_NOATIME works, or to 0 otherwise.
+# Define HAVE_WORKING_O_NOFOLLOW to 1 if O_NOFOLLOW works, or to 0 otherwise.
+AC_DEFUN([gl_FCNTL_O_FLAGS],
+[
+  dnl Persuade glibc <fcntl.h> to define O_NOATIME and O_NOFOLLOW.
+  AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS])
+  AC_CACHE_CHECK([for working fcntl.h], [gl_cv_header_working_fcntl_h],
+    [AC_RUN_IFELSE(
+       [AC_LANG_PROGRAM(
+	  [[#include <sys/types.h>
+	   #include <sys/stat.h>
+	   #include <unistd.h>
+	   #include <fcntl.h>
+	   #ifndef O_NOATIME
+	    #define O_NOATIME 0
+	   #endif
+	   #ifndef O_NOFOLLOW
+	    #define O_NOFOLLOW 0
+	   #endif
+	   static int const constants[] =
+	    {
+	      O_CREAT, O_EXCL, O_NOCTTY, O_TRUNC, O_APPEND,
+	      O_NONBLOCK, O_SYNC, O_ACCMODE, O_RDONLY, O_RDWR, O_WRONLY
+	    };
+	  ]],
+	  [[
+	    int status = !constants;
+	    {
+	      static char const sym[] = "conftest.sym";
+	      if (symlink (".", sym) != 0
+		  || close (open (sym, O_RDONLY | O_NOFOLLOW)) == 0)
+		status |= 32;
+	      unlink (sym);
+	    }
+	    {
+	      static char const file[] = "confdefs.h";
+	      int fd = open (file, O_RDONLY | O_NOATIME);
+	      char c;
+	      struct stat st0, st1;
+	      if (fd < 0
+		  || fstat (fd, &st0) != 0
+		  || sleep (1) != 0
+		  || read (fd, &c, 1) != 1
+		  || close (fd) != 0
+		  || stat (file, &st1) != 0
+		  || st0.st_atime != st1.st_atime)
+		status |= 64;
+	    }
+	    return status;]])],
+       [gl_cv_header_working_fcntl_h=yes],
+       [case $? in #(
+	32) gl_cv_header_working_fcntl_h='no (bad O_NOFOLLOW)';; #(
+	64) gl_cv_header_working_fcntl_h='no (bad O_NOATIME)';; #(
+	96) gl_cv_header_working_fcntl_h='no (bad O_NOATIME, O_NOFOLLOW)';; #(
+	 *) gl_cv_header_working_fcntl_h='no';;
+	esac],
+       [gl_cv_header_working_fcntl_h=cross-compiling])])
+
+  case $gl_cv_header_working_fcntl_h in #(
+  *O_NOATIME* | no | cross-compiling) ac_val=0;; #(
+  *) ac_val=1;;
+  esac
+  AC_DEFINE_UNQUOTED([HAVE_WORKING_O_NOATIME], [$ac_val],
+    [Define to 1 if O_NOATIME works.])
+
+  case $gl_cv_header_working_fcntl_h in #(
+  *O_NOFOLLOW* | no | cross-compiling) ac_val=0;; #(
+  *) ac_val=1;;
+  esac
+  AC_DEFINE_UNQUOTED([HAVE_WORKING_O_NOFOLLOW], [$ac_val],
+    [Define to 1 if O_NOFOLLOW works.])
+])
+
+AC_DEFUN([gl_FCNTL_MODULE_INDICATOR],
+[
+  dnl Use AC_REQUIRE here, so that the default settings are expanded once only.
+  AC_REQUIRE([gl_FCNTL_H_DEFAULTS])
+  GNULIB_[]m4_translit([$1],[abcdefghijklmnopqrstuvwxyz./-],[ABCDEFGHIJKLMNOPQRSTUVWXYZ___])=1
+])
+
+AC_DEFUN([gl_FCNTL_H_DEFAULTS],
+[
+  GNULIB_OPEN=0;    AC_SUBST([GNULIB_OPEN])
+  GNULIB_OPENAT=0;  AC_SUBST([GNULIB_OPENAT])
+  dnl Assume proper GNU behavior unless another module says otherwise.
+  HAVE_OPENAT=1;    AC_SUBST([HAVE_OPENAT])
+  REPLACE_OPEN=0;   AC_SUBST([REPLACE_OPEN])
+  REPLACE_OPENAT=0; AC_SUBST([REPLACE_OPENAT])
+])
diff --git a/gettext-runtime/m4/intl.m4 b/gettext-runtime/m4/intl.m4
index 2b446d2..a0325c3 100644
--- a/gettext-runtime/m4/intl.m4
+++ b/gettext-runtime/m4/intl.m4
@@ -1,4 +1,4 @@
-# intl.m4 serial 13 (gettext-0.18)
+# intl.m4 serial 14 (gettext-0.18)
 dnl Copyright (C) 1995-2009 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -40,6 +40,7 @@ AC_DEFUN([AM_INTL_SUBDIR],
   AC_REQUIRE([gt_PRINTF_POSIX])
   AC_REQUIRE([gl_GLIBC21])dnl
   AC_REQUIRE([gl_XSIZE])dnl
+  AC_REQUIRE([gl_FCNTL_O_FLAGS])dnl
   AC_REQUIRE([gt_INTL_MACOSX])dnl
 
   dnl Support for automake's --enable-silent-rules.