Fix insecure use of popen().

Obtained from: wzdftpd-security maillist
svn path=/head/; revision=143579
2025-07-18 17:59:20 -04:00 · 2005-09-26 11:38:08 +00:00 · 2005-09-26 11:38:08 +00:00 · ad0c936092 · 2021-03-31 03:12:20 +00:00
commit ad0c936092
parent d0438b7d23
2 changed files with 63 additions and 0 deletions
--- a/ftp/wzdftpd/Makefile
+++ b/ftp/wzdftpd/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	wzdftpd
 PORTVERSION=	0.5.4
+PORTREVISION=	1
 CATEGORIES=	ftp ipv6
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
--- a/ftp/wzdftpd/files/patch-popen-bug
+++ b/ftp/wzdftpd/files/patch-popen-bug
@ -0,0 +1,62 @@
+--- src/wzd_mod.c.orig	2005-09-26 09:34:42.000000000 +0200
+++ src/wzd_mod.c	2005-09-26 09:46:41.000000000 +0200
+@@ -102,6 +102,7 @@
+ } protocol_handler_t;
+ 
+ static int _hook_print_file(const char *filename, wzd_context_t *context);
+void _cleanup_shell_command(char * buffer, size_t length);
+ 
+ static protocol_handler_t * proto_handler_list=NULL;
+ static unsigned int _reply_code;
+@@ -378,6 +379,8 @@
+   {
+     *(buffer+l_command++) = ' ';
+     (void)wzd_strncpy(buffer + l_command, buffer_args, sizeof(buffer) - l_command - 1);
+    /* SECURITY filter buffer for shell special characters ! */
+    _cleanup_shell_command(buffer,sizeof(buffer));
+     if ( (command_output = popen(buffer,"r")) == NULL ) {
+       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+       return 1;
+@@ -438,6 +441,8 @@
+   else
+   {
+ /*    *(buffer+l_command++) = ' ';*/
+    /* SECURITY filter buffer for shell special characters ! */
+    _cleanup_shell_command(buffer,sizeof(buffer));
+     if ( (command_output = popen(buffer,"r")) == NULL ) {
+       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
+       return 1;
+@@ -733,6 +738,8 @@
+ }
+ 
+ 
+/*************** STATIC ****************/
+
+ static int _hook_print_file(const char *filename, wzd_context_t *context)
+ {
+   wzd_cache_t * fp;
+@@ -765,3 +772,24 @@
+ 
+   return 0;
+ }
+
+void _cleanup_shell_command(char * buffer, size_t length)
+{
+  const char * specials = "$\\|;!`()'\"#.,:*?{}[]&<>-~";
+  size_t i,j;
+  char * buf2;
+
+  buf2 = wzd_malloc(length);
+
+  for (i=0,j=0; buffer[i]!='\0' && i<length && j<length; i++,j++) {
+    if (strchr(specials,buffer[i]) != NULL) {
+      if (j+1 >= length) { buf2[j]='\0'; break; }
+      buf2[j++] = '\\';
+    }
+    buf2[j] = buffer[i];
+  }
+
+  wzd_strncpy(buffer,buf2,length);
+  wzd_free(buf2);
+}
+