aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorknu <knu@FreeBSD.org>2004-02-28 22:29:09 +0800
committerknu <knu@FreeBSD.org>2004-02-28 22:29:09 +0800
commitf34db2dc830e68022af0c2470106627aa99c1baf (patch)
tree5d0430672ae136622b8510933fe30efce994d9ed
parent73b93dd79439fb640841eb87d51808c7d05eb52a (diff)
downloadfreebsd-ports-graphics-f34db2dc830e68022af0c2470106627aa99c1baf.tar.gz
freebsd-ports-graphics-f34db2dc830e68022af0c2470106627aa99c1baf.tar.zst
freebsd-ports-graphics-f34db2dc830e68022af0c2470106627aa99c1baf.zip
Add sunshar, a "secure unshar" for ports committers, which:
- Does not execute unknown commands nor call sh(1) at all. - Does not overwrite existing files by default. - Does not extract files into upper directories. - Does have a dry run (-n) flag to see what would have been extracted. - Does have a strip (-p N) flag to strip any number of levels from pathnames. It (so far) only supports shell archives made with BSD shar.
-rwxr-xr-xTools/scripts/sunshar.rb299
-rw-r--r--Tools/scripts/sunshar/Makefile13
-rw-r--r--Tools/scripts/sunshar/sunshar.156
3 files changed, 368 insertions, 0 deletions
diff --git a/Tools/scripts/sunshar.rb b/Tools/scripts/sunshar.rb
new file mode 100755
index 00000000000..70b038e8958
--- /dev/null
+++ b/Tools/scripts/sunshar.rb
@@ -0,0 +1,299 @@
+#!/usr/bin/env ruby
+# -*- ruby -*-
+#
+# Copyright (c) 2001-2004 Akinori MUSHA
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+
+RCS_ID = %q$Idaemons: /home/cvs/sunshar/sunshar.rb,v 1.13 2004/02/28 14:15:47 knu Exp $
+RCS_REVISION = RCS_ID.split[2]
+MYNAME = File.basename($0)
+
+require 'parsearg'
+require 'fileutils'
+require 'shellwords'
+require 'stringio'
+
+begin
+ require 'features/ruby18/dir'
+rescue LoadError; end
+
+$USAGE = 'usage'
+
+$strip_level = 0
+$force = false
+$dryrun = false
+$quiet = false
+$dir = nil
+
+def info(*s)
+ puts(*s) unless $quiet
+end
+
+def usage
+ print <<-EOF
+#{MYNAME} rev.#{RCS_REVISION}
+
+usage: #{MYNAME} [-fnq] [-p level] [file]
+ #{MYNAME} -h
+ -d dir chdir -- chdir to dir before extracting files
+ -f force -- allow overwriting, ignore errors
+ -h help -- show this help
+ -n dry run -- show what would have been extracted
+ -p N strip -- strip N levels from pathnames (cf. patch(1)\'s -p)
+ -q quiet -- be quiet
+ EOF
+end
+
+def main
+ parseArgs(0, nil, 'fhnq', 'd:', 'p:')
+
+ if $OPT_h
+ usage
+ exit 0
+ end
+
+ if $OPT_f
+ $force = true
+ end
+
+ if $OPT_n
+ $dryrun = true
+ end
+
+ if $OPT_q
+ $quiet = true
+ end
+
+ $dir = $OPT_d || '.'
+
+ if $OPT_p
+ $strip_level = $OPT_p.to_i rescue -1
+
+ if $strip_level < 0
+ STDERR.puts "negative value ignored: #{$OPT_p}"
+ end
+ end
+
+ nerrors = 0
+
+ if ARGV.empty?
+ info "extracting files from stdin into #{$dir}"
+
+ begin
+ Dir.chdir($dir) {
+ unshar_stream(STDIN)
+ }
+
+ info "done."
+ rescue => e
+ STDERR.puts "error in extracting stdin: #{e.message}"
+ nerrors += 1
+ end
+ else
+ for file in ARGV
+ info "extracting files from #{file} into #{$dir}"
+
+ begin
+ File.open(file) do |f|
+ Dir.chdir($dir) {
+ unshar_stream(f)
+ }
+ end
+
+ info "done."
+ rescue => e
+ STDERR.puts "error in extracting #{file}: #{e.message}"
+ nerrors += 1
+ end
+ end
+ end
+
+ exit nerrors
+end
+
+def unshar_stream(io)
+ e = nil
+
+ while line = io.gets
+ if /^(\s*)\# This is a shell archive/ =~ line
+ indent = $1.length
+ break
+ end
+ end
+
+ if io.eof?
+ raise "not a shell archive."
+ end
+
+ f = nil
+ prefix = nil
+ file = nil
+ boundary = nil
+
+ while line = io.gets
+ line.slice!(0, indent)
+
+ if f
+ if line.strip == boundary
+ f.close
+ f = nil
+ next
+ end
+
+ if line.sub!(/^#{Regexp.quote(prefix)}/, '')
+ f.print line
+ else
+ raise "line #{io.lineno}: broken archive: #{line}"
+ end
+
+ next
+ end
+
+ case line
+ when /^exit\s*$/
+ break
+ when /^echo\s+(.+)$/
+ # info $1
+ when /^mkdir\s+(?:-p\s+)?(.+)$/
+ dir = nil
+
+ Shellwords.shellwords($1).each do |word|
+ if /^[^\-]/ =~ word
+ dir = word
+ break
+ end
+ end
+
+ next if dir.nil?
+
+ dir = strip_filename(dir.strip + '/')
+ if dir.chomp('/').empty?
+ next
+ end
+
+ begin
+ FileUtils.mkdir_p(dir) unless $dryrun
+ info "c - #{dir}"
+ rescue => e
+ info "c - #{dir} ... failed: #{e.message}"
+ raise e
+ end
+ when /sed\s+(.+)>(.+)<<(.+)/
+ prefix = Shellwords.shellwords($1).first
+ file = Shellwords.shellwords($2).first
+ boundary = Shellwords.shellwords($3).first
+
+ next unless prefix && file && boundary
+
+ if /s(.)\^(.*)\1\1/ =~ prefix
+ prefix = $2
+ else
+ next
+ end
+
+ file = strip_filename(file)
+
+ next if file.empty? || boundary.empty?
+
+ overwrite = false
+
+ if File.exist?(file)
+ if $force
+ overwrite = true
+ else
+ info "x - #{file} ... skipped"
+ next
+ end
+ end
+
+ dir = File.dirname(file)
+
+ if !File.directory?(dir + "/.")
+ begin
+ FileUtils.mkdir_p(dir) unless $dryrun
+ info "d - #{dir}"
+ rescue => e
+ info "d - #{dir} ... failed: #{e.message}"
+ raise e
+ end
+ end
+
+ begin
+ f = $dryrun ? StringIO.new : File.open(file, 'w')
+ if overwrite
+ info "x - #{file} ... overwritten"
+ else
+ info "x - #{file}"
+ end
+ rescue => e
+ info "x - #{file} ... failed! (#{e.message})"
+
+ if $force
+ f = nil
+ next
+ else
+ raise e
+ end
+ end
+ end
+ end
+
+ raise e if e
+end
+
+def strip_filename(file)
+ sfile = file.gsub(%r"/{2,}", "/")
+
+ if 0 < $strip_level
+ sfile.sub!(%r"^([^/]*/){1,#{$strip_level}}", '')
+ end
+
+ case sfile
+ when %r"^[~/]"
+ raise "reference to absolute directory: #{file} (use -p N)"
+ when %r"(^|/)\.\.(?:/|$)"
+ raise "reference to parent directory: #{file} (use -p N)"
+ end
+
+ sfile
+end
+
+def signal_handler(sig)
+ info "\nInterrupted."
+
+ exit 255
+end
+
+if $0 == __FILE__
+ for sig in [2, 3, 15]
+ trap(sig) do
+ signal_handler(sig)
+ end
+ end
+
+ main
+end
diff --git a/Tools/scripts/sunshar/Makefile b/Tools/scripts/sunshar/Makefile
new file mode 100644
index 00000000000..581e717591f
--- /dev/null
+++ b/Tools/scripts/sunshar/Makefile
@@ -0,0 +1,13 @@
+# $FreeBSD$
+# $Idaemons: /home/cvs/sunshar/Makefile,v 1.1.1.1 2001/09/09 13:49:08 knu Exp $
+
+PREFIX?= /usr/local
+BINDIR= ${PREFIX}/bin
+MANDIR= ${PREFIX}/man/man
+
+SCRIPTS= sunshar.rb
+MAN= sunshar.1
+
+.PATH: ${.CURDIR}/..
+
+.include <bsd.prog.mk>
diff --git a/Tools/scripts/sunshar/sunshar.1 b/Tools/scripts/sunshar/sunshar.1
new file mode 100644
index 00000000000..ee24f229fbc
--- /dev/null
+++ b/Tools/scripts/sunshar/sunshar.1
@@ -0,0 +1,56 @@
+.\" $FreeBSD$
+.\" $Idaemons: /home/cvs/sunshar/sunshar.1,v 1.2 2004/02/28 14:14:53 knu Exp $
+.\"
+.Dd September 9, 2001
+.Dt SUNSHAR 1
+.Os FreeBSD
+.Sh NAME
+.Nm sunshar
+.Nd a secure unshar
+.Sh SYNOPSIS
+.Nm
+.Op Fl hfnq
+.Op Fl p Ar number
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm
+command extracts files from the given shell archive(s). If no file
+name is given, it reads from the standard input.
+.Pp
+It brings you security because it never executes dangerous commands
+possibly contained in a shell archive. Also, it does not overwrite
+existing files unless the
+.Fl f
+option is specified.
+.Sh OPTIONS
+The following command line arguments are supported:
+.Pp
+.Bl -tag -width "-p number" -compact
+.It Fl h
+Show help and exit.
+.Pp
+.It Fl f
+Allow overwriting existing files, and ignore errors and continue.
+.Pp
+.It Fl p Ar number
+Strip
+.Ar number
+levels of path components from path names. (cf.
+.Xr patch 1 's
+.Fl p
+option)
+.Pp
+.It Fl n
+Do not extract anything but just show what would have been extracted.
+.Pp
+.It Fl q
+Be quiet.
+.El
+.Sh SEE ALSO
+.Xr shar 1
+.Sh AUTHORS
+.An Akinori MUSHA Aq knu@iDaemons.org
+.Sh BUGS
+.Nm
+only supports shell archives made with BSD shar.