Fixed arbitrary permission order

2025-05-20 11:07:28 +02:00 · 2025-05-20 11:07:28 +02:00 · b550c93884
commit b550c93884
parent a7e5d7d92d
1 changed files with 18 additions and 12 deletions
--- a/src/temp_permissions_table.c
+++ b/src/temp_permissions_table.c
@ -192,26 +192,32 @@ access_t check_temp_access_noparent(const char *filename, pid_t pid) {
      // the process is the same as the one that was granted temporary access
      // to the file
      size_t filename_len = strlen(filename);
+      access_t ret = NDEF;
+      size_t maxlen = 0;
      for_each(&permission_entry->denied_files, denied_file) {
        size_t denied_file_len = strlen(*denied_file);
-        if (strncmp(*denied_file, filename, denied_file_len) == 0 &&
-            ((denied_file_len < filename_len &&
-              (*denied_file)[denied_file_len - 1] == '/') ||
-             (denied_file_len == filename_len))) {
-          pthread_rwlock_unlock(&temp_permissions_table_lock);
-          return DENY;
+        if ((strncmp(*denied_file, filename, denied_file_len) == 0 &&
+             ((denied_file_len < filename_len &&
+               (*denied_file)[denied_file_len - 1] == '/') ||
+              (denied_file_len == filename_len))) &&
+            denied_file_len > maxlen) {
+          maxlen = denied_file_len;
+          ret = DENY;
        }
      }
      for_each(&permission_entry->allowed_files, allowed_file) {
        size_t allowed_file_len = strlen(*allowed_file);
-        if (strncmp(*allowed_file, filename, allowed_file_len) == 0 &&
-            ((allowed_file_len < filename_len &&
-              (*allowed_file)[allowed_file_len - 1] == '/') ||
-             (allowed_file_len == filename_len))) {
-          pthread_rwlock_unlock(&temp_permissions_table_lock);
-          return ALLOW;
+        if ((strncmp(*allowed_file, filename, allowed_file_len) == 0 &&
+             ((allowed_file_len < filename_len &&
+               (*allowed_file)[allowed_file_len - 1] == '/') ||
+              (allowed_file_len == filename_len))) &&
+            allowed_file > maxlen) {
+          maxlen = allowed_file_len;
+          ret = ALLOW;
        }
      }
+      pthread_rwlock_unlock(&temp_permissions_table_lock);
+      return ret;
    }
  }
  pthread_rwlock_unlock(&temp_permissions_table_lock);