aboutsummaryrefslogtreecommitdiffstats
path: root/ftp
diff options
context:
space:
mode:
authornovel <novel@FreeBSD.org>2005-09-26 19:38:08 +0800
committernovel <novel@FreeBSD.org>2005-09-26 19:38:08 +0800
commit9e3a6125eb23542ed7be7550e6b140330496bab1 (patch)
tree413f1ff1159dd9aea7dacb94a599f17d40daeb60 /ftp
parent654495b399742c57e15a115c29c79bba9e8c988a (diff)
downloadfreebsd-ports-gnome-9e3a6125eb23542ed7be7550e6b140330496bab1.tar.gz
freebsd-ports-gnome-9e3a6125eb23542ed7be7550e6b140330496bab1.tar.zst
freebsd-ports-gnome-9e3a6125eb23542ed7be7550e6b140330496bab1.zip
Fix insecure use of popen().
Obtained from: wzdftpd-security maillist
Diffstat (limited to 'ftp')
-rw-r--r--ftp/wzdftpd/Makefile1
-rw-r--r--ftp/wzdftpd/files/patch-popen-bug62
2 files changed, 63 insertions, 0 deletions
diff --git a/ftp/wzdftpd/Makefile b/ftp/wzdftpd/Makefile
index d7c63a8051b2..804919d044d4 100644
--- a/ftp/wzdftpd/Makefile
+++ b/ftp/wzdftpd/Makefile
@@ -7,6 +7,7 @@
PORTNAME= wzdftpd
PORTVERSION= 0.5.4
+PORTREVISION= 1
CATEGORIES= ftp ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
diff --git a/ftp/wzdftpd/files/patch-popen-bug b/ftp/wzdftpd/files/patch-popen-bug
new file mode 100644
index 000000000000..f9896c22cf24
--- /dev/null
+++ b/ftp/wzdftpd/files/patch-popen-bug
@@ -0,0 +1,62 @@
+--- src/wzd_mod.c.orig 2005-09-26 09:34:42.000000000 +0200
++++ src/wzd_mod.c 2005-09-26 09:46:41.000000000 +0200
+@@ -102,6 +102,7 @@
+ } protocol_handler_t;
+
+ static int _hook_print_file(const char *filename, wzd_context_t *context);
++void _cleanup_shell_command(char * buffer, size_t length);
+
+ static protocol_handler_t * proto_handler_list=NULL;
+ static unsigned int _reply_code;
+@@ -378,6 +379,8 @@
+ {
+ *(buffer+l_command++) = ' ';
+ (void)wzd_strncpy(buffer + l_command, buffer_args, sizeof(buffer) - l_command - 1);
++ /* SECURITY filter buffer for shell special characters ! */
++ _cleanup_shell_command(buffer,sizeof(buffer));
+ if ( (command_output = popen(buffer,"r")) == NULL ) {
+ out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+ return 1;
+@@ -438,6 +441,8 @@
+ else
+ {
+ /* *(buffer+l_command++) = ' ';*/
++ /* SECURITY filter buffer for shell special characters ! */
++ _cleanup_shell_command(buffer,sizeof(buffer));
+ if ( (command_output = popen(buffer,"r")) == NULL ) {
+ out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+ return 1;
+@@ -733,6 +738,8 @@
+ }
+
+
++/*************** STATIC ****************/
++
+ static int _hook_print_file(const char *filename, wzd_context_t *context)
+ {
+ wzd_cache_t * fp;
+@@ -765,3 +772,24 @@
+
+ return 0;
+ }
++
++void _cleanup_shell_command(char * buffer, size_t length)
++{
++ const char * specials = "$\\|;!`()'\"#.,:*?{}[]&<>-~";
++ size_t i,j;
++ char * buf2;
++
++ buf2 = wzd_malloc(length);
++
++ for (i=0,j=0; buffer[i]!='\0' && i<length && j<length; i++,j++) {
++ if (strchr(specials,buffer[i]) != NULL) {
++ if (j+1 >= length) { buf2[j]='\0'; break; }
++ buf2[j++] = '\\';
++ }
++ buf2[j] = buffer[i];
++ }
++
++ wzd_strncpy(buffer,buf2,length);
++ wzd_free(buf2);
++}
++