Add minimal validation of the service name to fend off at least one

attack vector against applications that allow the applicant to specify which policy to apply. Submitted by: Matthias Drochner <drochner@netbsd.org> MFC after: 1 week
author: Dag-Erling Smørgrav <des@FreeBSD.org> 2011-12-10 01:44:24 +0000
committer: Dag-Erling Smørgrav <des@FreeBSD.org> 2011-12-10 01:44:24 +0000
commit: 4125bad6b48214f7878fb43718c00dd225a77784 (patch)
tree: 927411920adda6798264f3fcff6b6f8220d1e8c4 /contrib/openpam
parent: 214ca32f1f840a7d477ed5d448dbc8fa4f4ec461 (diff)
download: src-test-4125bad6b48214f7878fb43718c00dd225a77784.tar.gz
src-test-4125bad6b48214f7878fb43718c00dd225a77784.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c
index f9197adcfa475..688b2acc50b9a 100644
--- a/contrib/openpam/lib/openpam_configure.c
+++ b/contrib/openpam/lib/openpam_configure.c
@@ -285,6 +285,13 @@ openpam_load_chain(pam_handle_t *pamh,
 	size_t len;
 	int r;
 
+	/* don't allow to escape from policy_path */
+	if (strchr(service, '/')) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+		    service);
+		return (-PAM_SYSTEM_ERR);
+	}
+
 	for (path = openpam_policy_path; *path != NULL; ++path) {
 		len = strlen(*path);
 		if ((*path)[len - 1] == '/') {
author	Dag-Erling Smørgrav <des@FreeBSD.org>	2011-12-10 01:44:24 +0000
committer	Dag-Erling Smørgrav <des@FreeBSD.org>	2011-12-10 01:44:24 +0000
commit	4125bad6b48214f7878fb43718c00dd225a77784 (patch)
tree	927411920adda6798264f3fcff6b6f8220d1e8c4 /contrib/openpam
parent	214ca32f1f840a7d477ed5d448dbc8fa4f4ec461 (diff)
download	src-test-4125bad6b48214f7878fb43718c00dd225a77784.tar.gz src-test-4125bad6b48214f7878fb43718c00dd225a77784.zip