mirror of
https://github.com/systemd/systemd.git
synced 2026-07-02 20:57:10 +00:00
This tightens the checks of string_is_safe() and then adds flags to relax certain aspects of it. This does alter the rules on certain strings we pass a bit. We mostly tighten the rules (but I think it's find and good) but we relax them on others. I let claude review the changes in behaviour for the various call sites that I made. It summarized things in this table: ╭───────────────────────────────────────────────────┬──────────────────────────────────────────────╮ │ CALL SITE │ EFFECTIVE DELTA │ ├───────────────────────────────────────────────────┼──────────────────────────────────────────────┤ │ src/basic/syslog-util log_namespace_name_valid │ +UTF-8 required (globs already blocked) │ │ src/bootctl --efi-boot-option-description │ RELAXED: '\' and quotes now permitted │ │ src/core/dbus-manager pretimeout governor │ +UTF-8, +no-globs │ │ src/core/load-fragment ExecStart= path │ +UTF-8, +no-globs │ │ src/core/main pretimeout governor (kcmdline) │ +UTF-8, +no-globs │ │ src/core/service sd_notify STATUS= │ +no-globs (ASCII-only preserved) │ │ src/home/homectl --<identity field>= │ empty now REJECTED; +UTF-8 │ │ src/libsystemd-network dhcp_option_parse_string │ (equivalent, just explicit) │ │ src/libsystemd-network sd_dhcp_server boot_fname │ ""→NULL coerced; else equivalent │ │ src/libsystemd/journal SYSLOG_IDENTIFIER fb │ +UTF-8, +no-globs │ │ src/libsystemd/sd-json SD_JSON_STRICT strings │ +UTF-8 required │ │ src/login/logind session desktop= │ +UTF-8 required │ │ src/pcrlock EFI variable string │ +UTF-8 │ │ src/pcrlock EFI action string │ RELAXED: empty + '\' now ok; +UTF-8 │ │ src/resolve dns-delegate id (from filename) │ +UTF-8, +no-globs │ │ src/shared/boot-entry boot_entry_token_valid │ (equivalent) │ │ src/shared/conf-parser section header │ +UTF-8, +no-globs │ │ src/shared/conf-parser CONFIG_PARSE_STRING_SAFE │ +UTF-8 required │ │ src/shared/kbd-util keymap_is_valid │ (equivalent; folded into STRING_FILENAME) │ │ src/shared/tpm2 nvpcr name │ +UTF-8 required │ │ src/shared/vconsole x11 layout/model/variant/opt │ +UTF-8, +no-globs │ │ src/systemctl --kernel-cmdline= │ +0x7f DEL rejected; empty path split out │ │ src/veritysetup salt= │ RELAXED: safety check removed entirely │ │ src/vmspawn --ssh-key-type= │ +UTF-8 required │ ╰───────────────────────────────────────────────────┴──────────────────────────────────────────────╯
124 lines
3.7 KiB
C
124 lines
3.7 KiB
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
|
|
#include <syslog.h>
|
|
|
|
#include "sd-id128.h"
|
|
|
|
#include "hexdecoct.h"
|
|
#include "string-table.h"
|
|
#include "string-util.h"
|
|
#include "syslog-util.h"
|
|
#include "unit-name.h"
|
|
|
|
int syslog_parse_priority(const char **p, int *priority, bool with_facility) {
|
|
int a = 0, b = 0, c = 0;
|
|
const char *end;
|
|
size_t k;
|
|
|
|
assert(p);
|
|
assert(*p);
|
|
assert(priority);
|
|
|
|
if ((*p)[0] != '<')
|
|
return 0;
|
|
|
|
end = strchr(*p, '>');
|
|
if (!end)
|
|
return 0;
|
|
|
|
k = end - *p;
|
|
assert(k > 0);
|
|
|
|
if (k == 2)
|
|
c = undecchar((*p)[1]);
|
|
else if (k == 3) {
|
|
b = undecchar((*p)[1]);
|
|
c = undecchar((*p)[2]);
|
|
} else if (k == 4) {
|
|
a = undecchar((*p)[1]);
|
|
b = undecchar((*p)[2]);
|
|
c = undecchar((*p)[3]);
|
|
} else
|
|
return 0;
|
|
|
|
if (a < 0 || b < 0 || c < 0 ||
|
|
(!with_facility && (a || b || c > 7)))
|
|
return 0;
|
|
|
|
if (with_facility)
|
|
*priority = a*100 + b*10 + c;
|
|
else
|
|
*priority = (*priority & LOG_FACMASK) | c;
|
|
|
|
*p += k + 1;
|
|
return 1;
|
|
}
|
|
|
|
static const char *const log_facility_unshifted_table[LOG_NFACILITIES] = {
|
|
[LOG_FAC(LOG_KERN)] = "kern",
|
|
[LOG_FAC(LOG_USER)] = "user",
|
|
[LOG_FAC(LOG_MAIL)] = "mail",
|
|
[LOG_FAC(LOG_DAEMON)] = "daemon",
|
|
[LOG_FAC(LOG_AUTH)] = "auth",
|
|
[LOG_FAC(LOG_SYSLOG)] = "syslog",
|
|
[LOG_FAC(LOG_LPR)] = "lpr",
|
|
[LOG_FAC(LOG_NEWS)] = "news",
|
|
[LOG_FAC(LOG_UUCP)] = "uucp",
|
|
[LOG_FAC(LOG_CRON)] = "cron",
|
|
[LOG_FAC(LOG_AUTHPRIV)] = "authpriv",
|
|
[LOG_FAC(LOG_FTP)] = "ftp",
|
|
[LOG_FAC(LOG_LOCAL0)] = "local0",
|
|
[LOG_FAC(LOG_LOCAL1)] = "local1",
|
|
[LOG_FAC(LOG_LOCAL2)] = "local2",
|
|
[LOG_FAC(LOG_LOCAL3)] = "local3",
|
|
[LOG_FAC(LOG_LOCAL4)] = "local4",
|
|
[LOG_FAC(LOG_LOCAL5)] = "local5",
|
|
[LOG_FAC(LOG_LOCAL6)] = "local6",
|
|
[LOG_FAC(LOG_LOCAL7)] = "local7",
|
|
};
|
|
|
|
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(log_facility_unshifted, int, LOG_FAC(~0));
|
|
|
|
bool log_facility_unshifted_is_valid(int facility) {
|
|
return facility >= 0 && facility <= LOG_FAC(~0);
|
|
}
|
|
|
|
static const char *const log_level_table[] = {
|
|
[LOG_EMERG] = "emerg",
|
|
[LOG_ALERT] = "alert",
|
|
[LOG_CRIT] = "crit",
|
|
[LOG_ERR] = "err",
|
|
[LOG_WARNING] = "warning",
|
|
[LOG_NOTICE] = "notice",
|
|
[LOG_INFO] = "info",
|
|
[LOG_DEBUG] = "debug",
|
|
};
|
|
|
|
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(log_level, int, LOG_DEBUG);
|
|
|
|
bool log_level_is_valid(int level) {
|
|
return level >= 0 && level <= LOG_DEBUG;
|
|
}
|
|
|
|
/* The maximum size for a log namespace length. This is the file name size limit 255 minus the size of a
|
|
* formatted machine ID minus a separator char */
|
|
#define LOG_NAMESPACE_MAX (NAME_MAX - (SD_ID128_STRING_MAX - 1) - 1)
|
|
|
|
bool log_namespace_name_valid(const char *s) {
|
|
/* Let's make sure the namespace fits in a filename that is prefixed with the machine ID and a dot
|
|
* (so that /var/log/journal/<machine-id>.<namespace> can be created based on it). Also make sure it
|
|
* is suitable as unit instance name, and does not contain fishy characters. */
|
|
|
|
/* Let's avoid globbing for now */
|
|
if (!string_is_safe(s, STRING_FILENAME))
|
|
return false;
|
|
|
|
if (strlen(s) > LOG_NAMESPACE_MAX)
|
|
return false;
|
|
|
|
if (!unit_instance_is_valid(s))
|
|
return false;
|
|
|
|
return true;
|
|
}
|