From 5a90781cd867ea3ff38af5587e2aad188e4c5170 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 5 May 2016 17:20:04 -0400 Subject: [PATCH] lib: Add more filename validations (no ., .. or /) in commit logic The filesystem commit code will never give us potentially hostile filenames, and when importing from archives, we do some validation. However, we should be extra paranoid and also add error messages in the mtree in case someone tries to import a hostile libarchive-supported format. Closes: #283 Approved by: jlebon --- src/libostree/ostree-mutable-tree.c | 8 ++++++++ src/libostree/ostree-repo-commit.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/src/libostree/ostree-mutable-tree.c b/src/libostree/ostree-mutable-tree.c index bc4f4250..d0f21f37 100644 --- a/src/libostree/ostree-mutable-tree.c +++ b/src/libostree/ostree-mutable-tree.c @@ -159,6 +159,11 @@ ostree_mutable_tree_replace_file (OstreeMutableTree *self, { gboolean ret = FALSE; + g_return_val_if_fail (name != NULL, FALSE); + + if (!ot_util_filename_validate (name, error)) + goto out; + if (g_hash_table_lookup (self->subdirs, name)) { g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, @@ -187,6 +192,9 @@ ostree_mutable_tree_ensure_dir (OstreeMutableTree *self, g_return_val_if_fail (name != NULL, FALSE); + if (!ot_util_filename_validate (name, error)) + goto out; + if (g_hash_table_lookup (self->files, name)) { g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c index 60eb6260..19040a45 100644 --- a/src/libostree/ostree-repo-commit.c +++ b/src/libostree/ostree-repo-commit.c @@ -2225,6 +2225,10 @@ create_tree_variant_from_hashes (GHashTable *file_checksums, while (g_hash_table_iter_next (&hash_iter, &key, &value)) { const char *name = key; + + /* Should have been validated earlier, but be paranoid */ + g_assert (ot_util_filename_validate (name, NULL)); + sorted_filenames = g_slist_prepend (sorted_filenames, (char*)name); }