Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Only allow known-safe characters in socket paths

Browse Source 
The socket path will be included in a shell command and then as a socat
argument, so only allow a small subset of known-safe characters.  In
practice, this has not been a problem because mktemp doesn’t include
these characters in its output.
This commit is contained in:
Demi Marie Obenour 2020-11-27 15:25:29 -05:00
parent c3761ac7e7
commit 06d84b5198
No known key found for this signature in database
GPG Key ID: 28A45C93B0B5B6E0
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
qubes-rpc/qubes.ShowInTerminal
View File

@ -1,10 +1,11 @@
#!/bin/bash -- #!/bin/bash --
set -eu set -eu
umask 0077
tmpdir="$(mktemp -d)" tmpdir="$(mktemp -d)"
if [[ $tmpdir =~ \" ]]; then if ! [[ $tmpdir =~ ^/[/A-Za-z0-9._-]+$ ]]; then
echo 'Error: non admissible character detected in sock path.' echo 'Error: non admissible character detected in sock path.'>&2
exit 1 exit 1
fi fi