_cleanup_free_ char *c = NULL;
CGroupAttribute *a;
+ int r;
assert(u);
assert(name);
assert(value);
if (!controller) {
- const char *dot;
-
- dot = strchr(name, '.');
- if (!dot)
+ r = cg_controller_from_attr(name, &c);
+ if (r < 0)
return -EINVAL;
- c = strndup(name, dot - name);
- if (!c)
- return -ENOMEM;
-
controller = c;
+ } else {
+ if (!filename_is_safe(name))
+ return -EINVAL;
+
+ if (!filename_is_safe(controller))
+ return -EINVAL;
}
- if (streq(controller, SYSTEMD_CGROUP_CONTROLLER))
+ if (!controller || streq(controller, SYSTEMD_CGROUP_CONTROLLER))
return -EINVAL;
a = cgroup_attribute_find_list(u->cgroup_attributes, controller, name);
assert(spec);
if (*spec == '/') {
+ if (!path_is_safe(spec))
+ return -EINVAL;
if (path) {
t = strdup(spec);
e = strchr(spec, ':');
if (!e) {
- if (strchr(spec, '/') || spec[0] == 0)
+ if (!filename_is_safe(spec))
return -EINVAL;
if (controller) {
return 0;
}
- if (e[1] != '/' || e == spec || memchr(spec, '/', e-spec))
+ t = strndup(spec, e-spec);
+ if (!t)
+ return -ENOMEM;
+ if (!filename_is_safe(t)) {
+ free(t);
return -EINVAL;
-
- if (controller) {
- t = strndup(spec, e-spec);
- if (!t)
- return -ENOMEM;
-
}
- if (path) {
- u = strdup(e+1);
- if (!u) {
- free(t);
- return -ENOMEM;
- }
+ u = strdup(e+1);
+ if (!u) {
+ free(t);
+ return -ENOMEM;
+ }
+ if (!path_is_safe(u)) {
+ free(t);
+ free(u);
+ return -EINVAL;
}
if (controller)
*controller = t;
+ else
+ free(t);
if (path)
*path = u;
+ else
+ free(u);
return 0;
}
int cg_pid_get_user_unit(pid_t pid, char **unit) {
return cg_pid_get("/user/", pid, unit);
}
+
+int cg_controller_from_attr(const char *attr, char **controller) {
+ const char *dot;
+ char *c;
+
+ assert(attr);
+ assert(controller);
+
+ if (!filename_is_safe(attr))
+ return -EINVAL;
+
+ dot = strchr(attr, '.');
+ if (!dot) {
+ *controller = NULL;
+ return 0;
+ }
+
+ c = strndup(attr, dot - attr);
+ if (!c)
+ return -ENOMEM;
+
+ if (!filename_is_safe(c)) {
+ free(c);
+ return -EINVAL;
+ }
+
+ *controller = c;
+ return 1;
+}
int cgroup_to_unit(char *cgroup, char **unit);
char **cg_shorten_controllers(char **controllers);
+
+int cg_controller_from_attr(const char *attr, char **controller);
}
int write_one_line_file_atomic(const char *fn, const char *line) {
- FILE *f;
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_free_ char *p = NULL;
int r;
- char *p;
assert(fn);
assert(line);
fflush(f);
- if (ferror(f)) {
- if (errno != 0)
- r = -errno;
- else
- r = -EIO;
- } else {
+ if (ferror(f))
+ r = errno ? -errno : -EIO;
+ else {
if (rename(p, fn) < 0)
r = -errno;
else
if (r < 0)
unlink(p);
- fclose(f);
- free(p);
-
return r;
}
return true;
}
+bool path_is_safe(const char *p) {
+
+ if (isempty(p))
+ return false;
+
+ if (streq(p, "..") || startswith(p, "../") || endswith(p, "/..") || strstr(p, "/../"))
+ return false;
+
+ if (strlen(p) > PATH_MAX)
+ return false;
+
+ /* The following two checks are not really dangerous, but hey, they still are confusing */
+ if (streq(p, ".") || startswith(p, "./") || endswith(p, "/.") || strstr(p, "/./"))
+ return false;
+
+ if (strstr(p, "//"))
+ return false;
+
+ return true;
+}
+
/* hey glibc, APIs with callbacks without a user pointer are so useless */
void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size,
int (*compar) (const void *, const void *, void *), void *arg) {
}
bool filename_is_safe(const char *p);
+bool path_is_safe(const char *p);
bool string_is_safe(const char *p);
void *xbsearch_r(const void *key, const void *base, size_t nmemb, size_t size,
~ianmdlvl / elogind.git / commitdiff