From a0b283a60f734c38faa8e7cd594ace1657ce74b0 Mon Sep 17 00:00:00 2001 From: John D Pell Date: Sun, 8 Aug 2021 09:36:28 +0200 Subject: [PATCH] WUtil: Be more strict about base directory for wmkdirhier() The original code refused to create anything not in $WMAKER_USER_ROOT, now we go one step further and limit creation inside its 'Library' or 'Defaults' sub-directories. --- WINGs/proplist.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/WINGs/proplist.c b/WINGs/proplist.c index e7a764df..0fccf9b4 100644 --- a/WINGs/proplist.c +++ b/WINGs/proplist.c @@ -1732,23 +1732,36 @@ Bool WMWritePropListToFile(WMPropList * plist, const char *path) * file, and the last component is stripped off. the rest is the * the hierarchy to be created. * - * refuses to create anything outside $WMAKER_USER_ROOT + * refuses to create anything outside $WMAKER_USER_ROOT/Defaults or $WMAKER_USER_ROOT/Library * * returns 1 on success, 0 on failure */ int wmkdirhier(const char *path) { - const char *t; + const char *libpath; + char *udefpath; + int cmp; char *thePath = NULL, buf[1024]; size_t p, plen; struct stat st; - /* Only create directories under $WMAKER_USER_ROOT */ - if ((t = wusergnusteppath()) == NULL) - return 0; - if (strncmp(path, t, strlen(t)) != 0) - return 0; + /* Only create directories under $WMAKER_USER_ROOT/Defaults or $WMAKER_USER_ROOT/Library */ + libpath = wuserdatapath(); + if (strncmp(path, libpath, strlen(libpath)) == 0) + if (path[strlen(libpath)] == '/') + goto path_in_valid_tree; + udefpath = wdefaultspathfordomain(""); + cmp = strncmp(path, udefpath, strlen(udefpath)); + wfree(udefpath); + if (cmp == 0) + /* Note: by side effect, 'udefpath' already contains a final '/' */ + goto path_in_valid_tree; + + /* If we reach this point, the path is outside the allowed tree */ + return 0; + + path_in_valid_tree: thePath = wstrdup(path); /* Strip the trailing component if it is a file */ p = strlen(thePath); @@ -1771,7 +1784,6 @@ int wmkdirhier(const char *path) } memset(buf, 0, sizeof(buf)); - strncpy(buf, t, sizeof(buf) - 1); p = strlen(buf); plen = strlen(thePath); @@ -1782,7 +1794,7 @@ int wmkdirhier(const char *path) strncpy(buf, thePath, p); if (mkdir(buf, 0777) == -1 && errno == EEXIST && stat(buf, &st) == 0 && !S_ISDIR(st.st_mode)) { - werror(_("Could not create component %s"), buf); + werror(_("Could not create path component %s"), buf); wfree(thePath); return 0; } -- 2.11.4.GIT