[gs-cvs] gs/src

Fri May 16 22:46:26 PDT 2003

Update of /cvs/ghostscript/gs/src
In directory casper:/tmp/cvs-serv6652/src

Modified Files:
	zfile.c 
Log Message:
Security fixes. Add detection of %pipe% device when in SAFER mode. Also
fix detection of 'renamefile' to prevent rename from a file that is not on
the PermitFileControl list.


Index: zfile.c
===================================================================
RCS file: /cvs/ghostscript/gs/src/zfile.c,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -d -r1.33 -r1.34

--- zfile.c	5 May 2003 09:08:08 -0000	1.33
+++ zfile.c	17 May 2003 05:46:24 -0000	1.34
@@ -51,7 +51,7 @@
 extern const char iodev_dtype_stdio[];
 
 /* Forward references: file name parsing. */
-private int parse_file_name(const ref * op, gs_parsed_file_name_t * pfn);
+private int parse_file_name(const ref * op, gs_parsed_file_name_t * pfn, bool safemode);
 private int parse_real_file_name(const ref * op,
 				 gs_parsed_file_name_t * pfn,
 				 gs_memory_t *mem, client_name_t cname);
@@ -163,18 +163,6 @@
     /* Assuming a reduced file name. */
 #endif
 
-    /*
-     * Check here for the %pipe device which is illegal when
-     * LockFilePermissions is true. In the future we might want to allow
-     * the %pipe device to be included on the PermitFile... paths, but
-     * for now it is simply disallowed.
-     */
-    if (i_ctx_p->LockFilePermissions &&
-               string_match( (const unsigned char*) fname, len,
-			     (const unsigned char*) "%pipe*", 5, NULL)
-       ) {
-	return e_invalidfileaccess;
-    }
     if (dict_find_string(&(i_ctx_p->userparams), permitgroup, &permitlist) <= 0)
         return 0;	/* if Permissions not found, just allow access */
 #if !NEW_COMBINE_PATH
@@ -275,11 +263,11 @@
     uint rlen = sizeof(fname_reduced);
 
     if (gp_file_name_reduce(fname, len, fname_reduced, &rlen) != gp_combine_success)
-	return 0;
-    fname = fname_reduced;
-    len = rlen;
-#endif
+	return e_invalidaccess;		/* fail if we couldn't reduce */
+    return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
+#else
     return check_file_permissions_reduced(i_ctx_p, fname, len, permitgroup);
+#endif
 }
 
 /* <name_string> <access_string> file <file> */
@@ -294,7 +282,7 @@
 
     if (code < 0)
 	return code;
-    code = parse_file_name(op - 1, &pname);
+    code = parse_file_name(op - 1, &pname, i_ctx_p->LockFilePermissions);
     if (code < 0)
 	return code;
 	/*
@@ -414,7 +402,7 @@
     /* and the procedure, and invoke the continuation. */
     check_estack(7);
     /* Get the iodevice */
-    code = parse_file_name(op - 2, &pname);
+    code = parse_file_name(op - 2, &pname, i_ctx_p->LockFilePermissions);
     if (code < 0)
 	return code;
     iodev = (pname.iodev == NULL) ? iodev_default : pname.iodev;
@@ -511,7 +499,7 @@
 		 */
 	      ((check_file_permissions(i_ctx_p, pname1.fname, pname1.len,
 	      				"PermitFileControl") < 0 &&
-	          !file_is_tempfile(i_ctx_p, op - 1) < 0) ||
+	          !file_is_tempfile(i_ctx_p, op - 1)) ||
 	      (check_file_permissions(i_ctx_p, pname2.fname, pname2.len,
 	      				"PermitFileControl") < 0 ||
 	      check_file_permissions(i_ctx_p, pname2.fname, pname2.len,
@@ -550,7 +538,7 @@
 	    {
 		gs_parsed_file_name_t pname;
 		struct stat fstat;
-		int code = parse_file_name(op, &pname);
+		int code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions);
 
 		if (code < 0)
 		    return code;
@@ -688,7 +676,7 @@
     stream *s;
 
     check_ostack(2);
-    code = parse_file_name(op, &pname);
+    code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions);
     if (code < 0)
 	return code;
     if (pname.iodev == NULL)
@@ -895,11 +883,24 @@
 /* Parse a file name into device and individual name. */
 /* See gsfname.c for details. */
 private int
-parse_file_name(const ref * op, gs_parsed_file_name_t * pfn)
+parse_file_name(const ref * op, gs_parsed_file_name_t * pfn, bool safemode)
 {
+    int code;
+
     check_read_type(*op, t_string);
-    return gs_parse_file_name(pfn, (const char *)op->value.const_bytes,
+    code = gs_parse_file_name(pfn, (const char *)op->value.const_bytes,
 			      r_size(op));
+    if (code < 0)
+	return code;
+    /*
+     * Check here for the %pipe device which is illegal when
+     * LockFilePermissions is true. In the future we might want to allow
+     * the %pipe device to be included on the PermitFile... paths, but
+     * for now it is simply disallowed.
+     */
+    if (pfn->iodev && safemode && strcmp(pfn->iodev->dname, "%pipe%") == 0)
+	return e_invalidfileaccess;
+    return code;
 }
 
 /* Parse a real (non-device) file name and convert to a C string. */


