Escape control characters in log messages and "sudoreplay -l" output.
The log message contains user-controlled strings that could include things like terminal control characters. Space characters in the command path are now also escaped. Command line arguments that contain spaces are surrounded with single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com).
This commit is contained in:
Todd C. Miller
106
lib/util/lbuf.c
106
lib/util/lbuf.c
@@ -94,6 +94,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, unsigned int extra)
|
||||
debug_return_bool(true);
|
||||
}
|
||||
|
||||
/*
|
||||
* Escape a character in octal form (#0n) and store it as a string
|
||||
* in buf, which must have at least 6 bytes available.
|
||||
* Returns the length of buf, not counting the terminating NUL byte.
|
||||
*/
|
||||
static int
|
||||
escape(unsigned char ch, char *buf)
|
||||
{
|
||||
const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5;
|
||||
|
||||
/* Work backwards from the least significant digit to most significant. */
|
||||
switch (len) {
|
||||
case 5:
|
||||
buf[4] = (ch & 7) + '0';
|
||||
ch >>= 3;
|
||||
FALLTHROUGH;
|
||||
case 4:
|
||||
buf[3] = (ch & 7) + '0';
|
||||
ch >>= 3;
|
||||
FALLTHROUGH;
|
||||
case 3:
|
||||
buf[2] = (ch & 7) + '0';
|
||||
buf[1] = '0';
|
||||
buf[0] = '#';
|
||||
break;
|
||||
}
|
||||
buf[len] = '\0';
|
||||
|
||||
return len;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the format and append strings, only %s and %% escapes are supported.
|
||||
* Any non-printable characters are escaped in octal as #0nn.
|
||||
*/
|
||||
bool
|
||||
sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...)
|
||||
{
|
||||
unsigned int saved_len = lbuf->len;
|
||||
bool ret = false;
|
||||
const char *s;
|
||||
va_list ap;
|
||||
debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL);
|
||||
|
||||
if (sudo_lbuf_error(lbuf))
|
||||
debug_return_bool(false);
|
||||
|
||||
#define should_escape(ch) \
|
||||
((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \
|
||||
(ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch)))
|
||||
#define should_quote(ch) \
|
||||
(ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\'))
|
||||
|
||||
va_start(ap, fmt);
|
||||
while (*fmt != '\0') {
|
||||
if (fmt[0] == '%' && fmt[1] == 's') {
|
||||
if ((s = va_arg(ap, char *)) == NULL)
|
||||
s = "(NULL)";
|
||||
while (*s != '\0') {
|
||||
if (should_escape(*s)) {
|
||||
if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
|
||||
goto done;
|
||||
lbuf->len += escape(*s++, lbuf->buf + lbuf->len);
|
||||
continue;
|
||||
}
|
||||
if (should_quote(*s)) {
|
||||
if (!sudo_lbuf_expand(lbuf, 2))
|
||||
goto done;
|
||||
lbuf->buf[lbuf->len++] = '\\';
|
||||
lbuf->buf[lbuf->len++] = *s++;
|
||||
continue;
|
||||
}
|
||||
if (!sudo_lbuf_expand(lbuf, 1))
|
||||
goto done;
|
||||
lbuf->buf[lbuf->len++] = *s++;
|
||||
}
|
||||
fmt += 2;
|
||||
continue;
|
||||
}
|
||||
if (should_escape(*fmt)) {
|
||||
if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
|
||||
goto done;
|
||||
if (*fmt == '\'') {
|
||||
lbuf->buf[lbuf->len++] = '\\';
|
||||
lbuf->buf[lbuf->len++] = *fmt++;
|
||||
} else {
|
||||
lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
if (!sudo_lbuf_expand(lbuf, 1))
|
||||
goto done;
|
||||
lbuf->buf[lbuf->len++] = *fmt++;
|
||||
}
|
||||
ret = true;
|
||||
|
||||
done:
|
||||
if (!ret)
|
||||
lbuf->len = saved_len;
|
||||
if (lbuf->size != 0)
|
||||
lbuf->buf[lbuf->len] = '\0';
|
||||
va_end(ap);
|
||||
|
||||
debug_return_bool(ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the format and append strings, only %s and %% escapes are supported.
|
||||
* Any characters in set are quoted with a backslash.
|
||||
|
||||
Reference in New Issue
Block a user