diff options
author | Denys Vlasenko <dvlasenk@redhat.com> | 2011-03-14 17:41:12 +0100 |
---|---|---|
committer | Denys Vlasenko <dvlasenk@redhat.com> | 2011-03-14 17:41:12 +0100 |
commit | cbe3dd9930e68140ca8aeb17e4fb20fce09981df (patch) | |
tree | 40811a4952b0418c5f2d8013b98f655b7a77d1d1 /src/daemon | |
parent | 938d5557c6fcedbca3ab075afb21a9c0b6a3ace8 (diff) | |
download | abrt-cbe3dd9930e68140ca8aeb17e4fb20fce09981df.tar.gz abrt-cbe3dd9930e68140ca8aeb17e4fb20fce09981df.tar.xz abrt-cbe3dd9930e68140ca8aeb17e4fb20fce09981df.zip |
abrtd: do not accept requests to delete directories not in /var/spool/abrt/
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Diffstat (limited to 'src/daemon')
-rw-r--r-- | src/daemon/MiddleWare.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/daemon/MiddleWare.cpp b/src/daemon/MiddleWare.cpp index 8d62c697..84400361 100644 --- a/src/daemon/MiddleWare.cpp +++ b/src/daemon/MiddleWare.cpp @@ -744,6 +744,16 @@ int CreateReportThread(const char* crash_id, long caller_uid, int force, const c /* Remove dump dir */ int DeleteDebugDump(const char *dump_dir_name, long caller_uid) { + /* If doesn't start with "DEBUG_DUMPS_DIR/"... */ + if (strncmp(dump_dir_name, DEBUG_DUMPS_DIR"/", strlen(DEBUG_DUMPS_DIR"/")) != 0 + /* or contains "/." anywhere (-> might contain ".." component) */ + || strstr(dump_dir_name + strlen(DEBUG_DUMPS_DIR), "/.") + ) { + /* Then refuse to operate on it (someone is attacking us??) */ + error_msg("Bad dump directory name '%s', not deleting", dump_dir_name); + return MW_ERROR; + } + struct dump_dir *dd = dd_opendir(dump_dir_name, /*flags:*/ 0); if (!dd) return MW_NOENT_ERROR; @@ -760,7 +770,7 @@ int DeleteDebugDump(const char *dump_dir_name, long caller_uid) if (!string_to_bool(inform_all)) { dd_close(dd); - error_msg("crash '%s' can't be accessed by user with uid %ld", dump_dir_name, caller_uid); + error_msg("Dump directory '%s' can't be accessed by user with uid %ld", dump_dir_name, caller_uid); return 1; } } |