From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14516 invoked from network); 25 Mar 1997 23:06:35 -0000 Received: from euclid.skiles.gatech.edu (list@130.207.146.50) by coral.primenet.com.au with SMTP; 25 Mar 1997 23:06:35 -0000 Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id RAA03093; Tue, 25 Mar 1997 17:55:21 -0500 (EST) Resent-Date: Tue, 25 Mar 1997 17:55:21 -0500 (EST) Date: Mon, 24 Mar 1997 18:51:43 GMT From: Zefram Message-Id: <28090.199703241851@stone.dcs.warwick.ac.uk> Subject: restricting modules X-Patch: 224 Resent-Message-ID: <"Ooz7k2.0.Gm.OV5Ep"@euclid> To: zsh-workers@math.gatech.edu Resent-From: zsh-workers@math.gatech.edu X-Mailing-List: archive/latest/3025 X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu -----BEGIN PGP SIGNED MESSAGE----- This patch changes the effect of the RESTRICTED option on zmodload. Prior to this patch, any arbitrary, untrusted, module can be declared to be a dependency of a safe module, and thus untrusted code can be run. This patch closes that security hole by preventing the specification of a module containing a /. Note that it is not a problem to declare safe dependencies of unsafe modules: that doesn't make it any easier to load the unsafe module. The restriction on zmodload -a is also changed to match. The idea is that only the loading of unsafe modules should be prevented, and that functionality should not be otherwise reduced. -zefram *** Doc/Zsh/restricted.yo 1997/01/29 05:42:43 1.2 --- Doc/Zsh/restricted.yo 1997/03/23 02:23:37 *************** *** 26,34 **** commands) itemiz(turning off restricted mode with tt(set +r) or tt(unsetopt RESTRICTED)) ! itemiz(loading modules with an explicitely given pathname containing ! slashes) ! itemiz(adding/deleting builtins with tt(zmodload -a)) enditemize() These restrictions are enforced after processing the startup files. The --- 26,33 ---- commands) itemiz(turning off restricted mode with tt(set +r) or tt(unsetopt RESTRICTED)) ! itemiz(specifying modules to be loaded with an explicitly given ! pathname containing slashes) enditemize() These restrictions are enforced after processing the startup files. The *** Src/module.c 1997/03/20 03:53:56 1.25 --- Src/module.c 1997/03/23 02:32:35 *************** *** 499,509 **** return 0; } else { /* add dependencies */ char *tnam = *args++; ! while (*args) ! add_dep(tnam, *args++); ! return 0; } } --- 499,515 ---- return 0; } else { /* add dependencies */ + int ret = 0; char *tnam = *args++; ! for(; *args; args++) { ! if(isset(RESTRICTED) && strchr(*args, '/')) { ! zwarnnam(nam, "%s: restricted", *args, 0); ! ret = 1; ! } else ! add_dep(tnam, *args); ! } ! return ret; } } *************** *** 514,523 **** if(ops['u']) { /* remove autoloaded builtins */ - if (isset(RESTRICTED)) { - zwarnnam(nam, "-a is not allowed in restricted mode", *args, 0); - return 1; - } for (; *args; args++) { Builtin bn = (Builtin) builtintab->getnode2(builtintab, *args); --- 520,525 ---- *************** *** 541,551 **** } else { /* add autoloaded builtins */ char *modnam; ! if (isset(RESTRICTED)) { ! zwarnnam(nam, "-a is not allowed in restricted mode", *args, 0); return 1; } - modnam = *args++; do { char *bnam = *args ? *args++ : modnam; if (strchr(bnam, '/')) { --- 543,553 ---- } else { /* add autoloaded builtins */ char *modnam; ! modnam = *args++; ! if(isset(RESTRICTED) && strchr(modnam, '/')) { ! zwarnnam(nam, "%s: restricted", modnam, 0); return 1; } do { char *bnam = *args ? *args++ : modnam; if (strchr(bnam, '/')) { -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: ascii iQCVAwUBMzSXn3D/+HJTpU/hAQHuNgP+LnJMnwv8Xvn/w651C+XB28LVxU71WTtp fSmMhxKdEFx6N2eXEOcDVSmzdF8QXdELEz1VrZLWgjdb9tztTJ5u2FoSVrRtFHfH 7Q8WvTFGw09dsy9M28fNs2UiROHf1cbyzVieK0eSw1ue39HsCSCcbXY2z4xTfz7u ywk86Y2k9DE= =pkzu -----END PGP SIGNATURE-----