Tree - rpms/oddjob-gpupdate - src.fedoraproject.org

rpms / oddjob-gpupdate

Overview Files Commits Branches Forks Releases

Monitoring status:

Bugzilla Assignee:

Fedora:: pfilipen
EPEL:: pfilipen

Files

Blob Blame History Raw

From 85c13a8c3bb1dac4bd505bbf2a60fc72ea2d18b2 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Tue, 3 Aug 2021 09:01:48 -0600
Subject: [PATCH 2/4] Hardening to protect against malicous usernames

---
 src/gpupdate.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/gpupdate.c b/src/gpupdate.c
index a7480a1..dce3e5e 100644
--- a/src/gpupdate.c
+++ b/src/gpupdate.c
@@ -114,6 +114,12 @@ gpupdate(const char *user, int flags)
 	      2) not an empty string
 	      3) not already there */
 	if (user != NULL) {
+		// prevent any attempts to smuggle in command line switches
+		if (user[0] == '-') {
+			syslog(LOG_ERR, "rejecting suspicious username %s", user);
+			return HANDLER_INVALID_INVOCATION;
+		}
+
 		pwd = getpwnam(user);
 		if (pwd == NULL) {
 			syslog(LOG_ERR, "could not look up location of home directory "
-- 
2.34.1

rpms / oddjob-gpupdate

Source Code

Files