diff options
Diffstat (limited to 'gettext-runtime')
-rw-r--r-- | gettext-runtime/intl/ChangeLog | 8 | ||||
-rw-r--r-- | gettext-runtime/intl/localcharset.c | 156 | ||||
-rw-r--r-- | gettext-runtime/m4/ChangeLog | 6 | ||||
-rw-r--r-- | gettext-runtime/m4/Makefile.am | 1 | ||||
-rw-r--r-- | gettext-runtime/m4/fcntl_h.m4 | 108 | ||||
-rw-r--r-- | gettext-runtime/m4/intl.m4 | 3 |
6 files changed, 220 insertions, 62 deletions
diff --git a/gettext-runtime/intl/ChangeLog b/gettext-runtime/intl/ChangeLog index 0fefa04..6dd1b7f 100644 --- a/gettext-runtime/intl/ChangeLog +++ b/gettext-runtime/intl/ChangeLog @@ -1,3 +1,11 @@ +2009-10-18 Bruno Haible <bruno@clisp.org> + + Avoid symlink attack in localcharset module. + * localcharset.c: Include <fcntl.h>, <unistd.h>. + (O_NOFOLLOW): Define fallback. + (get_charset_aliases): Don't open the file if it is a symbolic link. + Reported by Fergal Glynn <fglynn@veracode.com>. + 2009-08-20 Eric Blake <ebb9@byu.net> * vasnprintf.c (decimal_point_char): Avoid warning on old-style diff --git a/gettext-runtime/intl/localcharset.c b/gettext-runtime/intl/localcharset.c index 434fc7c..e808967 100644 --- a/gettext-runtime/intl/localcharset.c +++ b/gettext-runtime/intl/localcharset.c @@ -24,6 +24,7 @@ /* Specification. */ #include "localcharset.h" +#include <fcntl.h> #include <stddef.h> #include <stdio.h> #include <string.h> @@ -45,6 +46,7 @@ #endif #if !defined WIN32_NATIVE +# include <unistd.h> # if HAVE_LANGINFO_CODESET # include <langinfo.h> # else @@ -76,6 +78,11 @@ # include "configmake.h" #endif +/* Define O_NOFOLLOW to 0 on platforms where it does not exist. */ +#ifndef O_NOFOLLOW +# define O_NOFOLLOW 0 +#endif + #if defined _WIN32 || defined __WIN32__ || defined __CYGWIN__ || defined __EMX__ || defined __DJGPP__ /* Win32, Cygwin, OS/2, DOS */ # define ISSLASH(C) ((C) == '/' || (C) == '\\') @@ -118,7 +125,6 @@ get_charset_aliases (void) if (cp == NULL) { #if !(defined DARWIN7 || defined VMS || defined WIN32_NATIVE || defined __CYGWIN__) - FILE *fp; const char *dir; const char *base = "charset.alias"; char *file_name; @@ -144,77 +150,105 @@ get_charset_aliases (void) } } - if (file_name == NULL || (fp = fopen (file_name, "r")) == NULL) - /* Out of memory or file not found, treat it as empty. */ + if (file_name == NULL) + /* Out of memory. Treat the file as empty. */ cp = ""; else { - /* Parse the file's contents. */ - char *res_ptr = NULL; - size_t res_size = 0; - - for (;;) + int fd; + + /* Open the file. Reject symbolic links on platforms that support + O_NOFOLLOW. This is a security feature. Without it, an attacker + could retrieve parts of the contents (namely, the tail of the + first line that starts with "* ") of an arbitrary file by placing + a symbolic link to that file under the name "charset.alias" in + some writable directory and defining the environment variable + CHARSETALIASDIR to point to that directory. */ + fd = open (file_name, + O_RDONLY | (HAVE_WORKING_O_NOFOLLOW ? O_NOFOLLOW : 0)); + if (fd < 0) + /* File not found. Treat it as empty. */ + cp = ""; + else { - int c; - char buf1[50+1]; - char buf2[50+1]; - size_t l1, l2; - char *old_res_ptr; - - c = getc (fp); - if (c == EOF) - break; - if (c == '\n' || c == ' ' || c == '\t') - continue; - if (c == '#') - { - /* Skip comment, to end of line. */ - do - c = getc (fp); - while (!(c == EOF || c == '\n')); - if (c == EOF) - break; - continue; - } - ungetc (c, fp); - if (fscanf (fp, "%50s %50s", buf1, buf2) < 2) - break; - l1 = strlen (buf1); - l2 = strlen (buf2); - old_res_ptr = res_ptr; - if (res_size == 0) + FILE *fp; + + fp = fdopen (fd, "r"); + if (fp == NULL) { - res_size = l1 + 1 + l2 + 1; - res_ptr = (char *) malloc (res_size + 1); + /* Out of memory. Treat the file as empty. */ + close (fd); + cp = ""; } else { - res_size += l1 + 1 + l2 + 1; - res_ptr = (char *) realloc (res_ptr, res_size + 1); + /* Parse the file's contents. */ + char *res_ptr = NULL; + size_t res_size = 0; + + for (;;) + { + int c; + char buf1[50+1]; + char buf2[50+1]; + size_t l1, l2; + char *old_res_ptr; + + c = getc (fp); + if (c == EOF) + break; + if (c == '\n' || c == ' ' || c == '\t') + continue; + if (c == '#') + { + /* Skip comment, to end of line. */ + do + c = getc (fp); + while (!(c == EOF || c == '\n')); + if (c == EOF) + break; + continue; + } + ungetc (c, fp); + if (fscanf (fp, "%50s %50s", buf1, buf2) < 2) + break; + l1 = strlen (buf1); + l2 = strlen (buf2); + old_res_ptr = res_ptr; + if (res_size == 0) + { + res_size = l1 + 1 + l2 + 1; + res_ptr = (char *) malloc (res_size + 1); + } + else + { + res_size += l1 + 1 + l2 + 1; + res_ptr = (char *) realloc (res_ptr, res_size + 1); + } + if (res_ptr == NULL) + { + /* Out of memory. */ + res_size = 0; + if (old_res_ptr != NULL) + free (old_res_ptr); + break; + } + strcpy (res_ptr + res_size - (l2 + 1) - (l1 + 1), buf1); + strcpy (res_ptr + res_size - (l2 + 1), buf2); + } + fclose (fp); + if (res_size == 0) + cp = ""; + else + { + *(res_ptr + res_size) = '\0'; + cp = res_ptr; + } } - if (res_ptr == NULL) - { - /* Out of memory. */ - res_size = 0; - if (old_res_ptr != NULL) - free (old_res_ptr); - break; - } - strcpy (res_ptr + res_size - (l2 + 1) - (l1 + 1), buf1); - strcpy (res_ptr + res_size - (l2 + 1), buf2); - } - fclose (fp); - if (res_size == 0) - cp = ""; - else - { - *(res_ptr + res_size) = '\0'; - cp = res_ptr; } - } - if (file_name != NULL) - free (file_name); + free (file_name); + } #else diff --git a/gettext-runtime/m4/ChangeLog b/gettext-runtime/m4/ChangeLog index 8d699b9..f854b70 100644 --- a/gettext-runtime/m4/ChangeLog +++ b/gettext-runtime/m4/ChangeLog @@ -1,3 +1,9 @@ +2009-10-18 Bruno Haible <bruno@clisp.org> + + * fcntl_h.m4: New file, from gnulib. + * intl.m4 (AM_INTL_SUBDIR): Require gl_FCNTL_O_FLAGS. + * Makefile.am (EXTRA_DIST): Add fcntl_h.m4. + 2009-08-14 Bruno Haible <bruno@clisp.org> * eoverflow.m4: Remove file. Obsoleted by gnulib's 'errno' module. diff --git a/gettext-runtime/m4/Makefile.am b/gettext-runtime/m4/Makefile.am index 5dcfc68..ccf0f2e 100644 --- a/gettext-runtime/m4/Makefile.am +++ b/gettext-runtime/m4/Makefile.am @@ -5,6 +5,7 @@ EXTRA_DIST = README \ ansi-c++.m4 \ codeset.m4 \ +fcntl_h.m4 \ gettext.m4 \ glibc2.m4 \ glibc21.m4 \ diff --git a/gettext-runtime/m4/fcntl_h.m4 b/gettext-runtime/m4/fcntl_h.m4 new file mode 100644 index 0000000..223fa48 --- /dev/null +++ b/gettext-runtime/m4/fcntl_h.m4 @@ -0,0 +1,108 @@ +# serial 6 +# Configure fcntl.h. +dnl Copyright (C) 2006, 2007, 2009 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl Written by Paul Eggert. + +AC_DEFUN([gl_FCNTL_H], +[ + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + AC_REQUIRE([gl_FCNTL_O_FLAGS]) + gl_CHECK_NEXT_HEADERS([fcntl.h]) + FCNTL_H='fcntl.h' + AC_SUBST([FCNTL_H]) +]) + +# Test whether the flags O_NOATIME and O_NOFOLLOW actually work. +# Define HAVE_WORKING_O_NOATIME to 1 if O_NOATIME works, or to 0 otherwise. +# Define HAVE_WORKING_O_NOFOLLOW to 1 if O_NOFOLLOW works, or to 0 otherwise. +AC_DEFUN([gl_FCNTL_O_FLAGS], +[ + dnl Persuade glibc <fcntl.h> to define O_NOATIME and O_NOFOLLOW. + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + AC_CACHE_CHECK([for working fcntl.h], [gl_cv_header_working_fcntl_h], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[#include <sys/types.h> + #include <sys/stat.h> + #include <unistd.h> + #include <fcntl.h> + #ifndef O_NOATIME + #define O_NOATIME 0 + #endif + #ifndef O_NOFOLLOW + #define O_NOFOLLOW 0 + #endif + static int const constants[] = + { + O_CREAT, O_EXCL, O_NOCTTY, O_TRUNC, O_APPEND, + O_NONBLOCK, O_SYNC, O_ACCMODE, O_RDONLY, O_RDWR, O_WRONLY + }; + ]], + [[ + int status = !constants; + { + static char const sym[] = "conftest.sym"; + if (symlink (".", sym) != 0 + || close (open (sym, O_RDONLY | O_NOFOLLOW)) == 0) + status |= 32; + unlink (sym); + } + { + static char const file[] = "confdefs.h"; + int fd = open (file, O_RDONLY | O_NOATIME); + char c; + struct stat st0, st1; + if (fd < 0 + || fstat (fd, &st0) != 0 + || sleep (1) != 0 + || read (fd, &c, 1) != 1 + || close (fd) != 0 + || stat (file, &st1) != 0 + || st0.st_atime != st1.st_atime) + status |= 64; + } + return status;]])], + [gl_cv_header_working_fcntl_h=yes], + [case $? in #( + 32) gl_cv_header_working_fcntl_h='no (bad O_NOFOLLOW)';; #( + 64) gl_cv_header_working_fcntl_h='no (bad O_NOATIME)';; #( + 96) gl_cv_header_working_fcntl_h='no (bad O_NOATIME, O_NOFOLLOW)';; #( + *) gl_cv_header_working_fcntl_h='no';; + esac], + [gl_cv_header_working_fcntl_h=cross-compiling])]) + + case $gl_cv_header_working_fcntl_h in #( + *O_NOATIME* | no | cross-compiling) ac_val=0;; #( + *) ac_val=1;; + esac + AC_DEFINE_UNQUOTED([HAVE_WORKING_O_NOATIME], [$ac_val], + [Define to 1 if O_NOATIME works.]) + + case $gl_cv_header_working_fcntl_h in #( + *O_NOFOLLOW* | no | cross-compiling) ac_val=0;; #( + *) ac_val=1;; + esac + AC_DEFINE_UNQUOTED([HAVE_WORKING_O_NOFOLLOW], [$ac_val], + [Define to 1 if O_NOFOLLOW works.]) +]) + +AC_DEFUN([gl_FCNTL_MODULE_INDICATOR], +[ + dnl Use AC_REQUIRE here, so that the default settings are expanded once only. + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + GNULIB_[]m4_translit([$1],[abcdefghijklmnopqrstuvwxyz./-],[ABCDEFGHIJKLMNOPQRSTUVWXYZ___])=1 +]) + +AC_DEFUN([gl_FCNTL_H_DEFAULTS], +[ + GNULIB_OPEN=0; AC_SUBST([GNULIB_OPEN]) + GNULIB_OPENAT=0; AC_SUBST([GNULIB_OPENAT]) + dnl Assume proper GNU behavior unless another module says otherwise. + HAVE_OPENAT=1; AC_SUBST([HAVE_OPENAT]) + REPLACE_OPEN=0; AC_SUBST([REPLACE_OPEN]) + REPLACE_OPENAT=0; AC_SUBST([REPLACE_OPENAT]) +]) diff --git a/gettext-runtime/m4/intl.m4 b/gettext-runtime/m4/intl.m4 index 2b446d2..a0325c3 100644 --- a/gettext-runtime/m4/intl.m4 +++ b/gettext-runtime/m4/intl.m4 @@ -1,4 +1,4 @@ -# intl.m4 serial 13 (gettext-0.18) +# intl.m4 serial 14 (gettext-0.18) dnl Copyright (C) 1995-2009 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, @@ -40,6 +40,7 @@ AC_DEFUN([AM_INTL_SUBDIR], AC_REQUIRE([gt_PRINTF_POSIX]) AC_REQUIRE([gl_GLIBC21])dnl AC_REQUIRE([gl_XSIZE])dnl + AC_REQUIRE([gl_FCNTL_O_FLAGS])dnl AC_REQUIRE([gt_INTL_MACOSX])dnl dnl Support for automake's --enable-silent-rules. |