-
-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow disabling character set filtering
This allows copying paths with names that would otherwise be forbidden. This requires adding new APIs, so take the opportunity to provide more useful information about why a path was rejected. To ensure that internal invariants are not violated, this uses a new COMPILETIME_UNREACHABLE macro to validate that a statement can be proven unreachable by the compiler. This is superior to abort() because it is checked at compile-time by the optimizer: if the compiler cannot prove that the code is unreachable, the build will fail. This technique is also used by BUILD_BUG_ON() in the Linux kernel. Since compilers do not promise to always be able to prove a piece of code unreachable, static checking is disabled by default. It can be enabled by including CHECK_UNREACHABLE=1 in the build environment. This is part of QubesOS/qubes-issues#8332 (less restricted qfile-copy), but that issue also requires changes to qfile-unpacker (part of qubes-core-agent-linux) to fix. The code is both backwards and forwards compatible: Old qfile-unpacker versions will work fine with the new library, and new qfile-unpacker versions will work fine with the old library. However, qubes.UnsafeFileCopy will behave like qubes.Filecopy unless the library has been updated. Initially, I decided to unconditionally disallow ASCII control characters in filenames, even if other character set filtering is disabled. This is because they are very useful for exploits and not very useful for other purposes. However, they can still arise in practice for completely legitimate reasons. These include copying and pasting into a file name in a GUI file manager and deliberately creating strangely-named files for test purposes. Therefore, disabling filtering now disables _all_ character set filtering. Restrictions to prevent directory traversal are still enforced, though, because violations of these are much more likely to be exploitable. While symlinks that point outside of the directory being copied might arise legitimately, they will not be meaningful after being copied and _do_ allow an attacker to cause mischief. For instance, if a symlink points to /home/user/.bashrc, "cp a b" in a directory copied by qvm-copy could overwrite ~/.bashrc with attacker-controlled data. The checks on symlink paths prevent this.
- Loading branch information
Showing
6 changed files
with
185 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.