raster pushed a commit to branch master.
http://git.enlightenment.org/core/enlightenment.git/commit/?id=800ff4e24ff1a48dfa97f0cf6fe2d70c6768533b
commit 800ff4e24ff1a48dfa97f0cf6fe2d70c6768533b
Author: Carsten Haitzler (Rasterman) <ras...@rasterman.com>
Date: Wed Apr 22 14:32:04 2020 +0100
e sys store - unmount verify its root and right username
also check for relative paths, shell metachars etc.
fixes T8671
---
src/bin/system/e_system_storage.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/bin/system/e_system_storage.c
b/src/bin/system/e_system_storage.c
index 2693e0216..f9e5ff1ac 100644
--- a/src/bin/system/e_system_storage.c
+++ b/src/bin/system/e_system_storage.c
@@ -164,17 +164,26 @@ _store_umount_verify(const char *mnt)
for (s = mnt; *s; s++)
{
if (*s == '\\') return EINA_FALSE;
+ if ((*s <= '*') || (*s == '`') || (*s == ';') || (*s == '<') ||
+ (*s == '>') || (*s == '?') || (*s >= '{') ||
+ ((*s >= '[') && (*s <= '^')))
+ return EINA_FALSE;
}
+ if (strstr(mnt, "/..")) return EINA_FALSE;
+ if (strstr(mnt, "/./")) return EINA_FALSE;
+ if (strstr(mnt, "//")) return EINA_FALSE;
if (stat(mnt, &st) != 0) return EINA_FALSE;
if (!S_ISDIR(st.st_mode)) return EINA_FALSE;
tmnt = strdup(mnt);
if (!tmnt) return EINA_FALSE;
- p = strchr(tmnt + 8, '/');
+ p = strchr(tmnt + 7, '/');
if (!p) goto err;
*p = '\0';
if (stat(tmnt, &st) != 0) goto err;
if (st.st_uid != 0) goto err;
if (st.st_gid != 0) goto err;
+ p = tmnt + 7; // after /media/ (so username)
+ if (strcmp(p + 1, user_name)) goto err; // not user named dir
free(tmnt);
return EINA_TRUE;
err:
--
