Index: trunk/configure.ac =================================================================== --- trunk/configure.ac (revision 346) +++ trunk/configure.ac (revision 347) @@ -788,4 +788,16 @@ ], [AC_DEFINE(SH_WITH_MAIL)] +) + +AC_ARG_ENABLE(shellexpand, + [ --disable-shellexpand disable shell expansion in config file], + [ + if test "x${enable_shellexpand}" = xno; then + : + else + AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file]) + fi + ], + [AC_DEFINE(SH_EVAL_SHELL, [1], [Define if you want shell expansion in configuration file])] ) Index: trunk/docs/Changelog =================================================================== --- trunk/docs/Changelog (revision 346) +++ trunk/docs/Changelog (revision 347) @@ -1,2 +1,11 @@ +2.8.5: + * Better protection against the 'intruder on server' scenario + pointed out by xrx. Add option to disable shell expansion in + configuration files, and check gpg signature earlier. + * Support /opt/local/bin in the Unix entropy gatherer (suggestion + by Sean Chittenden) + * Cache timeserver response for one second (suggestion by + Sean Chittenden) + 2.8.4a: * Fix for compile error with --with-prelude Index: trunk/include/sh_gpg.h =================================================================== --- trunk/include/sh_gpg.h (revision 346) +++ trunk/include/sh_gpg.h (revision 347) @@ -22,4 +22,9 @@ #ifndef SH_GPG_H #define SH_GPG_H + +/* Top level function to verify file. + */ +SL_TICKET sh_gpg_extract_signed(SL_TICKET fd); + /* this function exits if configuration file * and/or database cannot be verified; otherwise returns 0 Index: trunk/src/sh_getopt.c =================================================================== --- trunk/src/sh_getopt.c (revision 346) +++ trunk/src/sh_getopt.c (revision 347) @@ -439,4 +439,9 @@ printf (_(" -- Key fingerprint: %s"), SH_GPG_FP); ++num; #endif +#endif + +#if defined(SH_SHELL_EVAL) + if (num > 0) fputc ('\n', stdout); + fputs (_(" shell expansion in configuration file supported"), stdout); ++num; #endif Index: trunk/src/sh_gpg.c =================================================================== --- trunk/src/sh_gpg.c (revision 346) +++ trunk/src/sh_gpg.c (revision 347) @@ -1202,4 +1202,80 @@ } +#define FGETS_BUF 16384 + +SL_TICKET sh_gpg_extract_signed(SL_TICKET fd) +{ + FILE * fin_cp = NULL; + char * buf = NULL; + int bufc; + int flag_pgp = S_FALSE; + int flag_nohead = S_FALSE; + SL_TICKET fdTmp = (-1); + SL_TICKET open_tmp (void); + + /* extract the data and copy to temporary file + */ + fdTmp = open_tmp(); + + fin_cp = fdopen(dup(get_the_fd(fd)), "rb"); + buf = SH_ALLOC(FGETS_BUF); + + while (NULL != fgets(buf, FGETS_BUF, fin_cp)) + { + bufc = 0; + while (bufc < FGETS_BUF) { + if (buf[bufc] == '\n') { ++bufc; break; } + ++bufc; + } + + if (flag_pgp == S_FALSE && + (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))|| + 0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n"))) + ) + { + flag_pgp = S_TRUE; + sl_write(fdTmp, buf, bufc); + continue; + } + + if (flag_pgp == S_TRUE && flag_nohead == S_FALSE) + { + if (buf[0] == '\n') + { + flag_nohead = S_TRUE; + sl_write(fdTmp, buf, 1); + continue; + } + else if (0 == sl_strncmp(buf, _("Hash:"), 5) || + 0 == sl_strncmp(buf, _("NotDashEscaped:"), 15)) + { + sl_write(fdTmp, buf, bufc); + continue; + } + else + continue; + } + + if (flag_pgp == S_TRUE && buf[0] == '\n') + { + sl_write(fdTmp, buf, 1); + } + else if (flag_pgp == S_TRUE) + { + /* sl_write_line(fdTmp, buf, bufc); */ + sl_write(fdTmp, buf, bufc); + } + + if (flag_pgp == S_TRUE && + 0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n"))) + break; + } + SH_FREE(buf); + sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */ + sl_rewind (fdTmp); + + return fdTmp; +} + /* #ifdef WITH_GPG */ #endif Index: trunk/src/sh_hash.c =================================================================== --- trunk/src/sh_hash.c (revision 346) +++ trunk/src/sh_hash.c (revision 347) @@ -1295,12 +1295,8 @@ #if defined(WITH_GPG) || defined(WITH_PGP) extern int get_the_fd (SL_TICKET ticket); - FILE * fin_cp = NULL; - - char * buf = NULL; - int bufc; + int flag_pgp; int flag_nohead; SL_TICKET fdTmp = (-1); - SL_TICKET open_tmp (void); #endif char hashbuf[KEYBUF_SIZE]; @@ -1405,77 +1401,19 @@ #if defined(WITH_GPG) || defined(WITH_PGP) - /* new 1.4.8: also checked for server data */ /* extract the data and copy to temporary file */ - fdTmp = open_tmp(); - - fin_cp = fdopen(dup(get_the_fd(fd)), "rb"); - buf = SH_ALLOC(FGETS_BUF); - - while (NULL != fgets(buf, FGETS_BUF, fin_cp)) - { - bufc = 0; - while (bufc < FGETS_BUF) { - if (buf[bufc] == '\n') { ++bufc; break; } - ++bufc; - } - - if (sig_termfast == 1) /* SIGTERM */ - { - TPT((0, FIL__, __LINE__, _("msg=\n"))); - --sig_raised; --sig_urgent; - retval = 1; exitval = EXIT_SUCCESS; - goto unlock_and_return; - } - - if (flag_pgp == S_FALSE && - (0 == sl_strcmp(buf, _("-----BEGIN PGP SIGNED MESSAGE-----\n"))|| - 0 == sl_strcmp(buf, _("-----BEGIN PGP MESSAGE-----\n"))) - ) - { - flag_pgp = S_TRUE; - sl_write(fdTmp, buf, bufc); - continue; - } - - if (flag_pgp == S_TRUE && flag_nohead == S_FALSE) - { - if (buf[0] == '\n') - { - flag_nohead = S_TRUE; - sl_write(fdTmp, buf, 1); - continue; - } - else if (0 == sl_strncmp(buf, _("Hash:"), 5) || - 0 == sl_strncmp(buf, _("NotDashEscaped:"), 15)) - { - sl_write(fdTmp, buf, bufc); - continue; - } - else - continue; - } - - if (flag_pgp == S_TRUE && buf[0] == '\n') - { - sl_write(fdTmp, buf, 1); - } - else if (flag_pgp == S_TRUE) - { - /* sl_write_line(fdTmp, buf, bufc); */ - sl_write(fdTmp, buf, bufc); - } - - if (flag_pgp == S_TRUE && - 0 == sl_strcmp(buf, _("-----END PGP SIGNATURE-----\n"))) - break; - } - SH_FREE(buf); + fdTmp = sh_gpg_extract_signed(fd); + + if (sig_termfast == 1) /* SIGTERM */ + { + TPT((0, FIL__, __LINE__, _("msg=\n"))); + --sig_raised; --sig_urgent; + retval = 1; exitval = EXIT_SUCCESS; + goto unlock_and_return; + } + sl_close(fd); - sl_fclose(FIL__, __LINE__, fin_cp); /* fin_cp = fdopen(dup(), "rb"); */ - fd = fdTmp; - sl_rewind (fd); /* Validate signature of open file. @@ -1488,5 +1426,4 @@ sl_rewind (fd); #endif - /* } new 1.4.8 check sig also for files downloaded from server */ line = SH_ALLOC(MAX_PATH_STORE+2); Index: trunk/src/sh_readconf.c =================================================================== --- trunk/src/sh_readconf.c (revision 346) +++ trunk/src/sh_readconf.c (revision 347) @@ -136,4 +136,5 @@ static char * sh_readconf_expand_value (const char * str) { +#ifdef SH_EVAL_SHELL char * tmp = (char*)str; char * out; @@ -152,4 +153,5 @@ } } +#endif return sh_util_strdup(str); } @@ -161,5 +163,7 @@ SH_RC_FILE = 3, SH_RC_IFACE = 4, +#ifdef SH_EVAL_SHELL SH_RC_CMD = 5 +#endif }; @@ -218,8 +222,10 @@ p += 15; cond_type = SH_RC_SYSTEM; } +#ifdef SH_EVAL_SHELL else if (0 == strncasecmp(p, _("command_succeeds "), 17)) { p += 17; cond_type = SH_RC_CMD; } +#endif else { @@ -271,8 +277,10 @@ match = negate; break; +#ifdef SH_EVAL_SHELL case SH_RC_CMD: if (0 == sh_unix_run_command(p)) match = negate; break; +#endif default: match = 0; @@ -337,5 +345,7 @@ #if defined(SH_STEALTH) && !defined(SH_STEALTH_MICRO) SL_TICKET fdTmp = -1; - SL_TICKET open_tmp (void); +#endif +#if defined(WITH_GPG) || defined(WITH_PGP) + SL_TICKET fdGpg = -1; #endif char * tmp; @@ -464,4 +474,23 @@ sl_close(fd); fd = fdTmp; + sl_rewind (fd); +#endif + +#if defined(WITH_GPG) || defined(WITH_PGP) + + /* extract the data and copy to temporary file + */ + fdGpg = sh_gpg_extract_signed(fd); + + sl_close(fd); + fd = fdGpg; + + /* Validate signature of open file. + */ + if (0 != sh_gpg_check_sign (fd, 0, 1)) + { + SH_FREE(line_in); + aud_exit (FIL__, __LINE__, EXIT_FAILURE); + } sl_rewind (fd); #endif @@ -664,15 +693,4 @@ (long) conf_line); -#if defined(WITH_GPG) || defined(WITH_PGP) - /* Validate signature of open file. - */ - sl_rewind (fd); - if (0 != sh_gpg_check_sign (fd, 0, 1)) - { - SH_FREE(line_in); - aud_exit (FIL__, __LINE__, EXIT_FAILURE); - } -#endif - sl_close (fd); @@ -1358,4 +1376,5 @@ /* Expand shell expressions. This return allocated memory which we must free. + * If !defined(SH_EVAL_SHELL), this will reduce to a strdup. */ value = sh_readconf_expand_value(value);