Fixed arbitrary permission order

Fixed undefined order of permissions
2025-05-20 11:07:28 +02:00 · 2025-05-20 10:50:58 +02:00
2 changed files with 27 additions and 17 deletions
--- a/src/perm_permissions_table.c
+++ b/src/perm_permissions_table.c
@ -212,14 +212,20 @@ access_t check_perm_access_noparent(const char *filename,

  access_t ret = NDEF;
  sqlite3_stmt *stmt = NULL;
-  const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
-                    "AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
-                    "GLOB \'*/\') OR filename = ?2 );";
+  const char *sql =
+      "SELECT mode FROM permissions WHERE executable = ?1 "
+      "AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
+      "GLOB \'*/\') OR filename = ?2 ) ORDER BY LENGTH( filename ) DESC;";
  sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
  sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
  sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);

  int step_ret = sqlite3_step(stmt);
+  if (step_ret != SQLITE_ROW && step_ret != SQLITE_DONE) {
+    fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
+    sqlite3_finalize(stmt);
+    return ret;
+  }
  if (step_ret == SQLITE_ROW) {
    int mode_col = sqlite3_column_int(stmt, 0);
    if (mode_col) {
@ -227,8 +233,6 @@ access_t check_perm_access_noparent(const char *filename,
    } else {
      ret = DENY;
    }
-  } else {
-    fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
  }
  sqlite3_finalize(stmt);

--- a/src/temp_permissions_table.c
+++ b/src/temp_permissions_table.c
@ -192,26 +192,32 @@ access_t check_temp_access_noparent(const char *filename, pid_t pid) {
      // the process is the same as the one that was granted temporary access
      // to the file
      size_t filename_len = strlen(filename);
+      access_t ret = NDEF;
+      size_t maxlen = 0;
      for_each(&permission_entry->denied_files, denied_file) {
        size_t denied_file_len = strlen(*denied_file);
-        if (strncmp(*denied_file, filename, denied_file_len) == 0 &&
-            ((denied_file_len < filename_len &&
-              (*denied_file)[denied_file_len - 1] == '/') ||
-             (denied_file_len == filename_len))) {
-          pthread_rwlock_unlock(&temp_permissions_table_lock);
-          return DENY;
+        if ((strncmp(*denied_file, filename, denied_file_len) == 0 &&
+             ((denied_file_len < filename_len &&
+               (*denied_file)[denied_file_len - 1] == '/') ||
+              (denied_file_len == filename_len))) &&
+            denied_file_len > maxlen) {
+          maxlen = denied_file_len;
+          ret = DENY;
        }
      }
      for_each(&permission_entry->allowed_files, allowed_file) {
        size_t allowed_file_len = strlen(*allowed_file);
-        if (strncmp(*allowed_file, filename, allowed_file_len) == 0 &&
-            ((allowed_file_len < filename_len &&
-              (*allowed_file)[allowed_file_len - 1] == '/') ||
-             (allowed_file_len == filename_len))) {
-          pthread_rwlock_unlock(&temp_permissions_table_lock);
-          return ALLOW;
+        if ((strncmp(*allowed_file, filename, allowed_file_len) == 0 &&
+             ((allowed_file_len < filename_len &&
+               (*allowed_file)[allowed_file_len - 1] == '/') ||
+              (allowed_file_len == filename_len))) &&
+            allowed_file > maxlen) {
+          maxlen = allowed_file_len;
+          ret = ALLOW;
        }
      }
+      pthread_rwlock_unlock(&temp_permissions_table_lock);
+      return ret;
    }
  }
  pthread_rwlock_unlock(&temp_permissions_table_lock);
Author	SHA1	Message	Date
fedir	b550c93884	Fixed arbitrary permission order	2025-05-20 11:07:28 +02:00
fedir	a7e5d7d92d	Fixed undefined order of permissions	2025-05-20 10:50:58 +02:00