diff options
| author | Roman Bogorodskiy <novel@FreeBSD.org> | 2005-09-26 11:38:08 +0000 |
|---|---|---|
| committer | Roman Bogorodskiy <novel@FreeBSD.org> | 2005-09-26 11:38:08 +0000 |
| commit | ad0c9360926e4cd446ea3edd2e92bbec18b3f356 (patch) | |
| tree | 875ec4a409333577a07d4c9fd7d2d745bd46ab83 /ftp/wzdftpd | |
| parent | d0438b7d232cb3029b35761b2c0e3e51af837814 (diff) | |
| download | ports-ad0c9360926e4cd446ea3edd2e92bbec18b3f356.tar.gz ports-ad0c9360926e4cd446ea3edd2e92bbec18b3f356.zip | |
Fix insecure use of popen().
Obtained from: wzdftpd-security maillist
Notes
Notes:
svn path=/head/; revision=143579
Diffstat (limited to 'ftp/wzdftpd')
| -rw-r--r-- | ftp/wzdftpd/Makefile | 1 | ||||
| -rw-r--r-- | ftp/wzdftpd/files/patch-popen-bug | 62 |
2 files changed, 63 insertions, 0 deletions
diff --git a/ftp/wzdftpd/Makefile b/ftp/wzdftpd/Makefile index d7c63a8051b2..804919d044d4 100644 --- a/ftp/wzdftpd/Makefile +++ b/ftp/wzdftpd/Makefile @@ -7,6 +7,7 @@ PORTNAME= wzdftpd PORTVERSION= 0.5.4 +PORTREVISION= 1 CATEGORIES= ftp ipv6 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff --git a/ftp/wzdftpd/files/patch-popen-bug b/ftp/wzdftpd/files/patch-popen-bug new file mode 100644 index 000000000000..f9896c22cf24 --- /dev/null +++ b/ftp/wzdftpd/files/patch-popen-bug @@ -0,0 +1,62 @@ +--- src/wzd_mod.c.orig 2005-09-26 09:34:42.000000000 +0200 ++++ src/wzd_mod.c 2005-09-26 09:46:41.000000000 +0200 +@@ -102,6 +102,7 @@ + } protocol_handler_t; + + static int _hook_print_file(const char *filename, wzd_context_t *context); ++void _cleanup_shell_command(char * buffer, size_t length); + + static protocol_handler_t * proto_handler_list=NULL; + static unsigned int _reply_code; +@@ -378,6 +379,8 @@ + { + *(buffer+l_command++) = ' '; + (void)wzd_strncpy(buffer + l_command, buffer_args, sizeof(buffer) - l_command - 1); ++ /* SECURITY filter buffer for shell special characters ! */ ++ _cleanup_shell_command(buffer,sizeof(buffer)); + if ( (command_output = popen(buffer,"r")) == NULL ) { + out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command); + return 1; +@@ -438,6 +441,8 @@ + else + { + /* *(buffer+l_command++) = ' ';*/ ++ /* SECURITY filter buffer for shell special characters ! */ ++ _cleanup_shell_command(buffer,sizeof(buffer)); + if ( (command_output = popen(buffer,"r")) == NULL ) { + out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command); + return 1; +@@ -733,6 +738,8 @@ + } + + ++/*************** STATIC ****************/ ++ + static int _hook_print_file(const char *filename, wzd_context_t *context) + { + wzd_cache_t * fp; +@@ -765,3 +772,24 @@ + + return 0; + } ++ ++void _cleanup_shell_command(char * buffer, size_t length) ++{ ++ const char * specials = "$\\|;!`()'\"#.,:*?{}[]&<>-~"; ++ size_t i,j; ++ char * buf2; ++ ++ buf2 = wzd_malloc(length); ++ ++ for (i=0,j=0; buffer[i]!='\0' && i<length && j<length; i++,j++) { ++ if (strchr(specials,buffer[i]) != NULL) { ++ if (j+1 >= length) { buf2[j]='\0'; break; } ++ buf2[j++] = '\\'; ++ } ++ buf2[j] = buffer[i]; ++ } ++ ++ wzd_strncpy(buffer,buf2,length); ++ wzd_free(buf2); ++} ++ |