diff options
| -rw-r--r-- | NEWS | 13 | ||||
| -rw-r--r-- | README.linux | 4 | ||||
| -rw-r--r-- | parse.c | 14 | ||||
| -rw-r--r-- | parse.h | 1 | ||||
| -rw-r--r-- | syslogd.c | 63 |
5 files changed, 71 insertions, 24 deletions
@@ -3,9 +3,9 @@ Version 1.10.2 (RGer), 2005-09-2? - added comparison operations in property-based filters: * isequal * startswith -- added ability to negate all property-based filter comparison oprations +- added ability to negate all property-based filter comparison operations by adding a !-sign right in front of the operation name -- added the ability to specify remote senders for UDP +- added the ability to specify remote senders for UDP and TCP received messages. Allows to block all but well-known hosts - changed the $-config line directives to be case-INsensitive - new command line option -w added: "do not display warnings if messages @@ -16,6 +16,11 @@ Version 1.10.2 (RGer), 2005-09-2? results (fortunately, this function was not yet used widely) - added better support for "debugging" rsyslog.conf property filters (only if -d switch is given) +- changed some function definitions to static, which eventually enables + some compiler optimizations +- fixed a bug in MySQL code; when a SQL error occured, rsyslogd could + run in a tight loop. This was due to invalid sequence of error reporting + and is now fixed. --------------------------------------------------------------------------- Version 1.10.1 (RGer), 2005-09-23 - added the ability to execute a shell script as an action. @@ -45,6 +50,10 @@ Version 1.10.0 (RGer), 2005-09-20 - fixed a problem with compiling on SUSE and - while doing so - removed the socket call to set SO_BSDCOMPAT in cases where it is obsolete. --------------------------------------------------------------------------- +Version 1.0.1 (RGer), 2005-09-23 +- fixed a security issue with SQL-escaping in conjunction with + non-(SQL-)standard MySQL features. +--------------------------------------------------------------------------- Version 1.0.0 (RGer), 2005-09-12 - changed install doc to cover daily cron scripts - a trouble source - added rc script for slackware (provided by Chris Elvidge - thanks!) diff --git a/README.linux b/README.linux index d4cf24e1..e8cc42f8 100644 --- a/README.linux +++ b/README.linux @@ -1,3 +1,5 @@ This file has been superseeded by the fils in the doc folder. Please see doc/manual.html for futher details. If you are -looking for install informaton doc/install.html is for you! +looking for install information doc/install.html is for you! +If you do not have the doc set, see + http://www.rsyslog.com/doc @@ -453,6 +453,20 @@ int rsParsGetParsePointer(rsParsObj *pThis) return rsCStrLen(pThis->pCStr) - 1; } +/* peek at the character at the parse pointer + * the caller must ensure that the parse pointer is not + * at the end of the parse buffer (e.g. by first calling + * parsIsAtEndOfParseString). + * rgerhards, 2005-09-27 + */ +char parsPeekAtCharAtParsPtr(rsParsObj *pThis) +{ + rsCHECKVALIDOBJECT(pThis, OIDrsPars); + assert(pThis->iCurrPos < rsCStrLen(pThis->pCStr)); + + return(*(pThis->pCStr->pBuf + pThis->iCurrPos)); +} + /* * Local variables: @@ -80,6 +80,7 @@ rsRetVal rsParsConstructFromSz(rsParsObj **ppThis, char *psz); rsRetVal rsParsDestruct(rsParsObj *pThis); rsRetVal parsIPv4WithBits(rsParsObj *pThis, unsigned long *pIP, int *pBits); int parsIsAtEndOfParseString(rsParsObj *pThis); +char parsPeekAtCharAtParsPtr(rsParsObj *pThis); #if 0 /* later! - but leave it in in case we need it some day... */ /* Parse a property @@ -729,9 +729,9 @@ void printline(char *hname, char *msg, int iSource); void printsys(char *msg); void logmsg(int pri, struct msg*, int flags); void fprintlog(register struct filed *f, int flags); -void endtty(); -void wallmsg(register struct filed *f); -void reapchild(); +static void endtty(); +static void wallmsg(register struct filed *f); +static void reapchild(); static const char *cvthname(struct sockaddr_in *f); void domark(); void debug_switch(); @@ -876,7 +876,7 @@ static int isAllowedSender(struct AllowedSenders *pAllowRoot, struct sockaddr_in == pAllow->allowedSender) return 1; } - + dprintf("%x is not an allowed sender\n", (unsigned) ulAddrInLocalByteOrder); return 0; } #endif /* #ifdef SYSLOG_INET */ @@ -1062,6 +1062,26 @@ void TCPSessAccept(void) /* OK, we have a "good" index... */ /* get the host name */ fromHost = (char *)cvthname(&addr); + + /* Here we check if a host is permitted to send us + * syslog messages. If it isn't, we do not further + * process the message but log a warning (if we are + * configured to do this). + * rgerhards, 2005-09-26 + */ +printf("pre check allowed\n"); + if(!isAllowedSender(pAllowedSenders_TCP, &addr)) { + if(option_DisallowWarning) { + errno = 0; + logerrorSz("TCP message from disallowed sender %s discarded", + fromHost); + } + close(newConn); + return; + } +printf("post check allowed\n"); + + /* OK, we have an allowed sender, so let's continue */ lenHostName = strlen(fromHost) + 1; /* for \0 byte */ if((pBuf = (char*) malloc(sizeof(char) * lenHostName)) == NULL) { logerror("couldn't allocate buffer for hostname - ignored"); @@ -2926,20 +2946,20 @@ int main(int argc, char **argv) #endif /* #ifdef SYSLOG_INET */ #ifdef SYSLOG_UNIXAF for (i = 0; i < nfunix; i++) { - if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) { - memset(line, '\0', sizeof(line)); - i = recv(fd, line, MAXLINE - 2, 0); - dprintf("Message from UNIX socket: #%d\n", fd); - if (i > 0) { - line[i] = line[i+1] = '\0'; - printchopped(LocalHostName, line, i + 2, fd, SOURCE_UNIXAF); - } else if (i < 0 && errno != EINTR) { - dprintf("UNIX socket error: %d = %s.\n", \ - errno, strerror(errno)); - logerror("recvfrom UNIX"); - } + if ((fd = funix[i]) != -1 && FD_ISSET(fd, &readfds)) { + memset(line, '\0', sizeof(line)); + i = recv(fd, line, MAXLINE - 2, 0); + dprintf("Message from UNIX socket: #%d\n", fd); + if (i > 0) { + line[i] = line[i+1] = '\0'; + printchopped(LocalHostName, line, i + 2, fd, SOURCE_UNIXAF); + } else if (i < 0 && errno != EINTR) { + dprintf("UNIX socket error: %d = %s.\n", \ + errno, strerror(errno)); + logerror("recvfrom UNIX"); } } + } #endif #ifdef SYSLOG_INET @@ -2963,7 +2983,7 @@ int main(int argc, char **argv) printchopped(from, line, i + 2, finet, SOURCE_INET); } else { if(option_DisallowWarning) { - logerrorSz("message from disallowed sender %s discarded", + logerrorSz("UDP message from disallowed sender %s discarded", from); } } @@ -4426,7 +4446,7 @@ void fprintlog(register struct filed *f, int flags) jmp_buf ttybuf; -void endtty() +static void endtty() { longjmp(ttybuf, 1); } @@ -4473,8 +4493,7 @@ void endutent(void) * world, or a list of approved users. */ -void wallmsg(f) - register struct filed *f; +static void wallmsg(register struct filed *f) { char p[6 + UNAMESZ]; register int i; @@ -4564,7 +4583,7 @@ void wallmsg(f) reenter = 0; } -void reapchild() +static void reapchild() { int saved_errno = errno; #if defined(SYSV) && !defined(linux) @@ -4893,6 +4912,8 @@ printf("addAllow..., name '%s', line: '%s'\n", pName, *ppRestOfConfLine); } while(!parsIsAtEndOfParseString(pPars)) { + if(parsPeekAtCharAtParsPtr(pPars) == '#') + break; /* a comment-sign stops processing of line */ /* now parse a single IP address */ if((iRet = parsIPv4WithBits(pPars, &uIP, &iBits)) != RS_RET_OK) { logerrorInt("Error %d parsing IP address in allowed sender" |