Files
systemd/src/basic/syslog-util.c
Lennart Poettering 812aa57d2c string-util: beef up string_is_safe()
This tightens the checks of string_is_safe() and then adds flags to
relax certain aspects of it.

This does alter the rules on certain strings we pass a bit. We mostly
tighten the rules (but I think it's find and good) but we relax them on
others.

I let claude review the changes in behaviour for the various call sites
that I made. It summarized things in this table:

  ╭───────────────────────────────────────────────────┬──────────────────────────────────────────────╮
  │ CALL SITE                                         │ EFFECTIVE DELTA                              │
  ├───────────────────────────────────────────────────┼──────────────────────────────────────────────┤
  │ src/basic/syslog-util  log_namespace_name_valid   │ +UTF-8 required (globs already blocked)      │
  │ src/bootctl  --efi-boot-option-description        │ RELAXED: '\' and quotes now permitted        │
  │ src/core/dbus-manager  pretimeout governor        │ +UTF-8, +no-globs                            │
  │ src/core/load-fragment  ExecStart= path           │ +UTF-8, +no-globs                            │
  │ src/core/main  pretimeout governor (kcmdline)     │ +UTF-8, +no-globs                            │
  │ src/core/service  sd_notify STATUS=               │ +no-globs (ASCII-only preserved)             │
  │ src/home/homectl  --<identity field>=             │ empty now REJECTED; +UTF-8                   │
  │ src/libsystemd-network  dhcp_option_parse_string  │ (equivalent, just explicit)                  │
  │ src/libsystemd-network  sd_dhcp_server boot_fname │ ""→NULL coerced; else equivalent             │
  │ src/libsystemd/journal  SYSLOG_IDENTIFIER fb      │ +UTF-8, +no-globs                            │
  │ src/libsystemd/sd-json  SD_JSON_STRICT strings    │ +UTF-8 required                              │
  │ src/login/logind  session desktop=                │ +UTF-8 required                              │
  │ src/pcrlock  EFI variable string                  │ +UTF-8                                       │
  │ src/pcrlock  EFI action string                    │ RELAXED: empty + '\' now ok; +UTF-8          │
  │ src/resolve  dns-delegate id (from filename)      │ +UTF-8, +no-globs                            │
  │ src/shared/boot-entry  boot_entry_token_valid     │ (equivalent)                                 │
  │ src/shared/conf-parser  section header            │ +UTF-8, +no-globs                            │
  │ src/shared/conf-parser  CONFIG_PARSE_STRING_SAFE  │ +UTF-8 required                              │
  │ src/shared/kbd-util  keymap_is_valid              │ (equivalent; folded into STRING_FILENAME)    │
  │ src/shared/tpm2  nvpcr name                       │ +UTF-8 required                              │
  │ src/shared/vconsole  x11 layout/model/variant/opt │ +UTF-8, +no-globs                            │
  │ src/systemctl  --kernel-cmdline=                  │ +0x7f DEL rejected; empty path split out     │
  │ src/veritysetup  salt=                            │ RELAXED: safety check removed entirely       │
  │ src/vmspawn  --ssh-key-type=                      │ +UTF-8 required                              │
  ╰───────────────────────────────────────────────────┴──────────────────────────────────────────────╯
2026-04-21 17:07:53 +02:00

124 lines
3.7 KiB
C

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <syslog.h>
#include "sd-id128.h"
#include "hexdecoct.h"
#include "string-table.h"
#include "string-util.h"
#include "syslog-util.h"
#include "unit-name.h"
int syslog_parse_priority(const char **p, int *priority, bool with_facility) {
int a = 0, b = 0, c = 0;
const char *end;
size_t k;
assert(p);
assert(*p);
assert(priority);
if ((*p)[0] != '<')
return 0;
end = strchr(*p, '>');
if (!end)
return 0;
k = end - *p;
assert(k > 0);
if (k == 2)
c = undecchar((*p)[1]);
else if (k == 3) {
b = undecchar((*p)[1]);
c = undecchar((*p)[2]);
} else if (k == 4) {
a = undecchar((*p)[1]);
b = undecchar((*p)[2]);
c = undecchar((*p)[3]);
} else
return 0;
if (a < 0 || b < 0 || c < 0 ||
(!with_facility && (a || b || c > 7)))
return 0;
if (with_facility)
*priority = a*100 + b*10 + c;
else
*priority = (*priority & LOG_FACMASK) | c;
*p += k + 1;
return 1;
}
static const char *const log_facility_unshifted_table[LOG_NFACILITIES] = {
[LOG_FAC(LOG_KERN)] = "kern",
[LOG_FAC(LOG_USER)] = "user",
[LOG_FAC(LOG_MAIL)] = "mail",
[LOG_FAC(LOG_DAEMON)] = "daemon",
[LOG_FAC(LOG_AUTH)] = "auth",
[LOG_FAC(LOG_SYSLOG)] = "syslog",
[LOG_FAC(LOG_LPR)] = "lpr",
[LOG_FAC(LOG_NEWS)] = "news",
[LOG_FAC(LOG_UUCP)] = "uucp",
[LOG_FAC(LOG_CRON)] = "cron",
[LOG_FAC(LOG_AUTHPRIV)] = "authpriv",
[LOG_FAC(LOG_FTP)] = "ftp",
[LOG_FAC(LOG_LOCAL0)] = "local0",
[LOG_FAC(LOG_LOCAL1)] = "local1",
[LOG_FAC(LOG_LOCAL2)] = "local2",
[LOG_FAC(LOG_LOCAL3)] = "local3",
[LOG_FAC(LOG_LOCAL4)] = "local4",
[LOG_FAC(LOG_LOCAL5)] = "local5",
[LOG_FAC(LOG_LOCAL6)] = "local6",
[LOG_FAC(LOG_LOCAL7)] = "local7",
};
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(log_facility_unshifted, int, LOG_FAC(~0));
bool log_facility_unshifted_is_valid(int facility) {
return facility >= 0 && facility <= LOG_FAC(~0);
}
static const char *const log_level_table[] = {
[LOG_EMERG] = "emerg",
[LOG_ALERT] = "alert",
[LOG_CRIT] = "crit",
[LOG_ERR] = "err",
[LOG_WARNING] = "warning",
[LOG_NOTICE] = "notice",
[LOG_INFO] = "info",
[LOG_DEBUG] = "debug",
};
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(log_level, int, LOG_DEBUG);
bool log_level_is_valid(int level) {
return level >= 0 && level <= LOG_DEBUG;
}
/* The maximum size for a log namespace length. This is the file name size limit 255 minus the size of a
* formatted machine ID minus a separator char */
#define LOG_NAMESPACE_MAX (NAME_MAX - (SD_ID128_STRING_MAX - 1) - 1)
bool log_namespace_name_valid(const char *s) {
/* Let's make sure the namespace fits in a filename that is prefixed with the machine ID and a dot
* (so that /var/log/journal/<machine-id>.<namespace> can be created based on it). Also make sure it
* is suitable as unit instance name, and does not contain fishy characters. */
/* Let's avoid globbing for now */
if (!string_is_safe(s, STRING_FILENAME))
return false;
if (strlen(s) > LOG_NAMESPACE_MAX)
return false;
if (!unit_instance_is_valid(s))
return false;
return true;
}