Bugzilla – Attachment 892 Details for
Bug 6158
user shell with quotes could fool startup code
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Suggested patch
6158.patch (text/plain), 3.34 KB, created by
Peter Åstrand
on 2018-10-02 14:14:27 CEST
(
hide
)
Description:
Suggested patch
Filename:
MIME Type:
Creator:
Peter Åstrand
Created:
2018-10-02 14:14:27 CEST
Size:
3.34 KB
patch
obsolete
>Index: vsm/modules/thinlinc/vsm/sessionstart.py >=================================================================== >--- vsm/modules/thinlinc/vsm/sessionstart.py (revision 33760) >+++ vsm/modules/thinlinc/vsm/sessionstart.py (arbetskopia) >@@ -186,8 +186,7 @@ > vncpasswdfile = locale_encode(self.vncpasswdfile) > > tlsession = os.path.join(self.session_env['TLPREFIX'], "libexec", "tl-session") >- args = [tlsession, >- "/bin/bash", "-c", "exec -l \"$SHELL\" -c \"%s\"" % (xstartupfile), >+ args = [tlsession, self.session_env["SHELL"], "-c", "\"%s\"" % (xstartupfile), > "--", > xvnc_binary, ":%d" % disp, "-depth", "24", > "-geometry", "%dx%d" % fbsize, >Index: vsm/tl-session-common.c >=================================================================== >--- vsm/tl-session-common.c (revision 33760) >+++ vsm/tl-session-common.c (arbetskopia) >@@ -21,7 +21,7 @@ > extern char **environ; > > pid_t >-subprocess(char *const cmd[], preexec_ptr preexec_fn, void *preexec_data, >+subprocess_file(const char *file, char *const cmd[], preexec_ptr preexec_fn, void *preexec_data, > char **envp) > { > int close_exec_pipe[2]; >@@ -95,7 +95,7 @@ > putenv(*envp); > } > >- execvp(cmd[0], cmd); >+ execvp(file, cmd); > > /* execvp failed */ > perror("subprocess: execvp"); >@@ -112,6 +112,14 @@ > } > > >+pid_t >+subprocess(char *const cmd[], preexec_ptr preexec_fn, void *preexec_data, >+ char **envp) >+{ >+ return subprocess_file(cmd[0], cmd, preexec_fn, preexec_data, envp); >+} >+ >+ > int > print_groups(const char *progname, gid_t egid) > { >Index: vsm/tl-session-common.h >=================================================================== >--- vsm/tl-session-common.h (revision 33760) >+++ vsm/tl-session-common.h (arbetskopia) >@@ -8,6 +8,8 @@ > typedef int (*preexec_ptr)(void *data); > > pid_t >+subprocess_file(const char *file, char *const cmd[], preexec_ptr preexec_fn, void *preexec_data, char **envp); >+pid_t > subprocess(char *const cmd[], preexec_ptr preexec_fn, void *preexec_data, char **envp); > > int >Index: vsm/tl-xinit.c >=================================================================== >--- vsm/tl-xinit.c (revision 33760) >+++ vsm/tl-xinit.c (arbetskopia) >@@ -977,6 +977,7 @@ > int displayarg = -1; > char **clientargs = cmdargs; > char **serverargs = NULL; >+ char *clientbin; > > /* Parse arguments into client and server options. We are not > using argv[0] but otoh need room for NULL */ >@@ -1045,11 +1046,20 @@ > > set_default_environment(); > >- /* Launch first client */ >- pid_t client = subprocess(clientargs, set_client_process, NULL, NULL); >+ /* Launch first client. Simulate exec -l: >+ "If the -l option is supplied, the shell places a dash at the >+ beginning of the zeroth argument passed to command. This is >+ what login(1) does." >+ */ >+ clientbin = clientargs[0]; >+ clientargs[0] = malloc(strlen(clientbin) + 2); /* Space for dash and trailing zero */ >+ strcpy(clientargs[0], "-"); >+ strcat(clientargs[0], clientbin); >+ pid_t client = subprocess_file(clientbin, clientargs, set_client_process, NULL, NULL); > if (client < 0) { > fprintf(stderr, PROGNAME ": Failed to execute client\n"); > } >+ free(clientargs[0]); > > // Wait for client or server to exit, possibly kill server. > while (client > 0) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=892">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 6158
: 892
