diff --git a/dom0/qubes_rpc/qubes-notify-updates b/dom0/qubes_rpc/qubes-notify-updates index d34de46c..a6ece1d6 100755 --- a/dom0/qubes_rpc/qubes-notify-updates +++ b/dom0/qubes_rpc/qubes-notify-updates @@ -50,10 +50,12 @@ def main(): os.umask(0002) qubes_gid = grp.getgrnam('qubes').gr_gid - update_count = sys.stdin.readline(128).strip() - if not update_count.isdigit(): - print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: ' + update_count + untrusted_update_count = sys.stdin.readline(128).strip() + if not untrusted_update_count.isdigit(): + print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: %s' % untrusted_update_count exit(1) + # now sanitized + update_count = untrusted_update_count if source_vm.updateable: # Just trust information from VM itself update_f = open(source_vm.dir_path + '/' + updates_stat_file, "w") diff --git a/dom0/qubes_rpc/qubes-receive-appmenus b/dom0/qubes_rpc/qubes-receive-appmenus index fef07274..14515b63 100755 --- a/dom0/qubes_rpc/qubes-receive-appmenus +++ b/dom0/qubes_rpc/qubes-receive-appmenus @@ -53,10 +53,10 @@ def get_appmenus(xid): untrusted_appmenulist = [] if xid == -1: while appmenus_line_count > 0: - line = sys.stdin.readline(appmenus_line_size) - if line == "": + untrusted_line = sys.stdin.readline(appmenus_line_size) + if untrusted_line == "": break; - untrusted_appmenulist.append(line.strip()) + untrusted_appmenulist.append(untrusted_line.strip()) appmenus_line_count -= 1 if appmenus_line_count == 0: raise QubesException("Line count limit exceeded") @@ -64,10 +64,10 @@ def get_appmenus(xid): p = subprocess.Popen ([qrexec_client_path, '-d', str(xid), 'user:QUBESRPC qubes.GetAppmenus dom0'], stdout=subprocess.PIPE) while appmenus_line_count > 0: - line = p.stdout.readline(appmenus_line_size) - if line == "": + untrusted_line = p.stdout.readline(appmenus_line_size) + if untrusted_line == "": break; - untrusted_appmenulist.append(line.strip()) + untrusted_appmenulist.append(untrusted_line.strip()) appmenus_line_count -= 1 p.wait() if p.returncode != 0: @@ -88,6 +88,7 @@ def get_appmenus(xid): if untrusted_m: untrusted_key = untrusted_m.group(2) untrusted_value = untrusted_m.group(3) + # Look only at predefined keys if fields_regexp.has_key(untrusted_key): if fields_regexp[untrusted_key].match(untrusted_value): # now values are sanitized diff --git a/dom0/qubes_rpc/qubes-receive-updates b/dom0/qubes_rpc/qubes-receive-updates index 78d9027c..e076900b 100755 --- a/dom0/qubes_rpc/qubes-receive-updates +++ b/dom0/qubes_rpc/qubes-receive-updates @@ -66,9 +66,12 @@ def handle_dom0updates(updatevm): os.chmod(updates_rpm_dir, 0775) subprocess.check_call(["/usr/lib/qubes/qfile-dom0-unpacker", str(os.getuid()), updates_rpm_dir]) # Verify received files - for f in os.listdir(updates_rpm_dir): - full_path = updates_rpm_dir + "/" + f - if package_regex.match(f): + for untrusted_f in os.listdir(updates_rpm_dir): + if not package_regex.match(untrusted_f): + dom0updates_fatal(untrusted_f, 'Domain ' + source + ' sent unexpected file: ' + untrusted_f) + else: + f = untrusted_f + full_path = updates_rpm_dir + "/" + f if os.path.islink(full_path) or not os.path.isfile(full_path): dom0updates_fatal(f, 'Domain ' + source + ' sent not regular file') p = subprocess.Popen (["/bin/rpm", "-K", full_path], @@ -78,8 +81,6 @@ def handle_dom0updates(updatevm): dom0updates_fatal(f, 'Error while verifing %s signature: %s' % (f, output)) if not gpg_ok_regex.search(output.strip()): dom0updates_fatal(f, 'Domain ' + source + ' sent not signed rpm: ' + f) - else: - dom0updates_fatal(f, 'Domain ' + source + ' sent unexpected file: ' + f) if updates_error_file_handle is not None: updates_error_file_handle.close() # After updates received - create repo metadata