Fixed SQL injection
Fixed an emabarassignly obvious SQL injection bug by throwing `sqlite3_exec` away.
This commit is contained in:
@@ -207,42 +207,29 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); }
|
|||||||
*/
|
*/
|
||||||
access_t check_perm_access_noparent(const char *filename,
|
access_t check_perm_access_noparent(const char *filename,
|
||||||
struct process_info pi) {
|
struct process_info pi) {
|
||||||
|
access_t ret = NDEF;
|
||||||
|
sqlite3_stmt *stmt = NULL;
|
||||||
|
const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
|
||||||
|
"AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
|
||||||
|
"GLOB \'*/\') OR filename = ?2 );";
|
||||||
|
sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
|
||||||
|
sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
|
||||||
|
sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);
|
||||||
|
|
||||||
char *query = NULL;
|
int step_ret = sqlite3_step(stmt);
|
||||||
int ret = asprintf(&query,
|
if (step_ret == SQLITE_ROW) {
|
||||||
"SELECT * FROM %s WHERE executable = \'%s\' "
|
int mode_col = sqlite3_column_int(stmt, 0);
|
||||||
"AND ((\'%s\' LIKE CONCAT(filename, \'%%\') AND filename "
|
if (mode_col) {
|
||||||
"GLOB \'*/\') OR filename = \'%s\');",
|
ret = ALLOW;
|
||||||
table_name, pi.name, filename, filename);
|
} else {
|
||||||
fprintf(stderr, "query: %s\n", query);
|
ret = DENY;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
|
||||||
|
}
|
||||||
|
sqlite3_finalize(stmt);
|
||||||
|
|
||||||
if (ret < 0) {
|
return ret;
|
||||||
// If asprintf fails, the contents of query are undefined (see man
|
|
||||||
// asprintf). That does not explicitly rule out that query will be a valid
|
|
||||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
|
||||||
// justify preparing for this.
|
|
||||||
fprintf(stderr, "Could not create query on access check");
|
|
||||||
perror("");
|
|
||||||
return NDEF;
|
|
||||||
}
|
|
||||||
|
|
||||||
char *sqlite_error = NULL;
|
|
||||||
int flag = 0;
|
|
||||||
ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
|
|
||||||
free((void *)query);
|
|
||||||
if (ret != SQLITE_OK) {
|
|
||||||
fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
|
|
||||||
sqlite3_free(sqlite_error);
|
|
||||||
return NDEF;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (flag == 1) {
|
|
||||||
return ALLOW;
|
|
||||||
}
|
|
||||||
if (flag == -1) {
|
|
||||||
return DENY;
|
|
||||||
}
|
|
||||||
return NDEF;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -310,7 +297,7 @@ int set_perm_access(const char *filename, struct process_info pi,
|
|||||||
// asprintf). That does not explicitly rule out that query will be a valid
|
// asprintf). That does not explicitly rule out that query will be a valid
|
||||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||||
// justify preparing for this.
|
// justify preparing for this.
|
||||||
fprintf(stderr, "Could not create query on rule insertion");
|
fprintf(stderr, "Could not create query on rule insertion\n");
|
||||||
perror("");
|
perror("");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user