summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorkientzle <kientzle@FreeBSD.org>2004-02-29 22:13:28 +0000
committerkientzle <kientzle@FreeBSD.org>2004-02-29 22:13:28 +0000
commit48517ca7da7dcb3e5782eed3d7a0b79794e44774 (patch)
tree709c041daecab45c2b0ff6eadc60f4b9b43367a3
parent9d29f488fff50b2f5e4eb49f972fb3d0e3522029 (diff)
downloadFreeBSD-src-48517ca7da7dcb3e5782eed3d7a0b79794e44774.zip
FreeBSD-src-48517ca7da7dcb3e5782eed3d7a0b79794e44774.tar.gz
Back out the "clean_environment()" function from libutil.
Further contemplation has convinced me that this was not going to really solve the problem of environment-poisoning without raising serious administrative headaches. There must be a better way...
-rw-r--r--lib/libutil/Makefile8
-rw-r--r--lib/libutil/clean_environment.386
-rw-r--r--lib/libutil/clean_environment.c121
3 files changed, 4 insertions, 211 deletions
diff --git a/lib/libutil/Makefile b/lib/libutil/Makefile
index de6aa63..e13663c 100644
--- a/lib/libutil/Makefile
+++ b/lib/libutil/Makefile
@@ -6,9 +6,9 @@ SHLIB_MAJOR= 4
SHLIBDIR?= /lib
CFLAGS+=-DLIBC_SCCS -I${.CURDIR} -I${.CURDIR}/../libc/gen/
CFLAGS+=-DINET6
-SRCS= _secure_path.c auth.c clean_environment.c fparseln.c login.c \
- login_auth.c login_cap.c login_class.c login_crypt.c login_ok.c \
- login_times.c login_tty.c logout.c logwtmp.c property.c pty.c \
+SRCS= _secure_path.c auth.c fparseln.c login.c login_auth.c \
+ login_cap.c login_class.c login_crypt.c login_ok.c login_times.c \
+ login_tty.c logout.c logwtmp.c property.c pty.c \
pw_util.c realhostname.c stub.c \
trimdomain.c uucplock.c
INCS= libutil.h login_cap.h
@@ -16,7 +16,7 @@ INCS= libutil.h login_cap.h
MAN+= login.3 login_auth.3 login_tty.3 logout.3 logwtmp.3 pty.3 \
login_cap.3 login_class.3 login_times.3 login_ok.3 \
_secure_path.3 uucplock.3 property.3 auth.3 realhostname.3 \
- realhostname_sa.3 trimdomain.3 fparseln.3 clean_environment.3
+ realhostname_sa.3 trimdomain.3 fparseln.3
MAN+= login.conf.5 auth.conf.5
MLINKS+= property.3 properties_read.3 property.3 properties_free.3
MLINKS+= property.3 property_find.3
diff --git a/lib/libutil/clean_environment.3 b/lib/libutil/clean_environment.3
deleted file mode 100644
index b99ebf3..0000000
--- a/lib/libutil/clean_environment.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.\" Copyright (c) 2003 Tim Kientzle
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd March 1, 2004
-.Os
-.Dt CLEAN_ENVIRONMENT 3
-.Sh NAME
-.Nm clean_environment
-.Nd sanitize environment variables
-.Sh LIBRARY
-.Lb libutil
-.Sh SYNOPSIS
-.In libutil.h
-.Ft void
-.Fn clean_environment "const char * const *whitelist" "const char * const *extra_whitelist"
-.Sh DESCRIPTION
-The
-.Fn clean_environment
-function removes unsafe environment variables from the current
-process environment.
-It scans the current environment and discards any environment variable
-that does not occur in one of the two NULL-terminated lists.
-.Pp
-If the first argument is
-.Dv NULL ,
-a built-in default whitelist will be used.
-Most callers will use
-.Dv NULL
-for both arguments to obtain the default environment screening.
-Callers who need to make minor adjustments to the built-in
-whitelist can set the first argument to
-.Dv NULL
-and use the second argument to, in effect,
-add elements to the built-in whitelist.
-.Sh EXAMPLES
-The first example illustrates the typical usage.
-In this case, the default built-in environment screen
-will be used, which removes all environment variables
-that are not on the built-in whitelist.
-.Bd -literal -offset indent
- clean_environment(NULL, NULL);
-.Ed
-.Pp
-The following example applies the default environment screens
-except that the environment variables
-.Cm MYCUSTOM
-and
-.Cm MYCUSTOM2
-will also be kept and the
-.Cm TERM
-and
-.Cm TERMCAP
-environment variables will be removed.
-.Bd -literal -offset indent
- const char *keep[] = { "MYCUSTOM", "MYCUSTOM2", NULL };
- const char *remove[] = { "TERM", "TERMCAP", NULL };
-
- clean_environment(NULL, keep);
- for (p = remove; *p != NULL; p++)
- unsetenv(*p);
-.Ed
-.Sh SEE ALSO
-.Xr unsetenv 3
diff --git a/lib/libutil/clean_environment.c b/lib/libutil/clean_environment.c
deleted file mode 100644
index 068e412..0000000
--- a/lib/libutil/clean_environment.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*-
- * Copyright (c) 2004 Tim Kientzle
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer
- * in this position and unchanged.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <sys/types.h>
-#include <string.h>
-#include "libutil.h"
-
-static int env_var_in_list(const char * const *list, char *var, size_t len);
-
-
-/*
- * Default whitelist of "known safe" environment variables.
- */
-static const char *default_whitelist[] = {
- /* List from SUS "Environment Variables" Appendix */
- "ARFLAGS", "CC", "CDPATH", "CFLAGS", "CHARSET", "COLUMNS",
- "DATEMSK", "DEAD", "EDITOR", "ENV", "EXINIT", "FC", "FCEDIT",
- "FFLAGS", "GET", "GFLAGS", "HISTFILE", "HISTORY", "HISTSIZE",
- "HOME", "IFS", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE",
- "LC_MESSAGES", "LC_MONETARY", "LC_NUMERIC", "LC_TIME", "LDFLAGS",
- "LEX", "LFLAGS", "LINENO", "LINES", "LISTER", "LOGNAME", "LPDEST",
- "MAIL", "MAILCHECK", "MAILER", "MAILPATH", "MAILRC", "MAKEFLAGS",
- "MAKESHELL", "MANPATH", "MBOX", "MORE", "MSGVERB", "NLSPATH",
- "NPROC", "OLDPWD", "OPTARG", "OPTERR", "OPTIND", "PAGER", "PATH",
- "PPID", "PRINTER", "PROCLANG", "PROJECTDIR", "PS1", "PS2", "PS3",
- "PS4", "PWD", "RANDOM", "SECONDS", "SHELL", "TERM", "TERMCAP",
- "TERMINFO", "TMPDIR", "TZ", "USER", "VISUAL", "YACC", "YFLAGS",
-
- /* Additional Environment Variables */
- "KRB5CCNAME", "LOGIN", "MAILDIR", "SSH_AGENT_PID", "SSH_AUTH_SOCK",
-
- /* Terminating NULL */
- NULL
-};
-
-static int
-env_var_in_list(const char * const *list, char *var, size_t len)
-{
- if (list == NULL)
- return (0);
-
- while (*list != NULL) {
- if (strncmp(var, *list, len) == 0 &&
- len == strlen(*list))
- return (1);
- list++;
- }
- return (0);
-}
-
-
-/*
- * Scrub the environment by applying a "whitelist" of safe variables
- * and a "blacklist" of known dangerous variables. Each environment
- * variable is examined and is retained only if it appears in a whitelist
- * and does not appear in the blacklist.
- *
- * If the first argument is NULL, a built-in whitelist will be used.
- * The second and third arguments allow clients to adjust the built-in
- * whitelist without having to replicate it.
- *
- */
-void
-clean_environment(const char * const *whitelist,
- const char * const *extra_whitelist)
-{
- extern char **environ;
- char *p, **new, **old;
- int len;
- int safe;
-
- old = environ;
- new = environ;
-
- if (whitelist == NULL)
- whitelist = default_whitelist;
-
- while (*old != NULL) {
- safe = 0;
- p = strchr(*old, '=');
- if (p != NULL)
- len = p - *old;
- else
- len = strlen(*old);
-
- if (env_var_in_list(whitelist, *old, len) ||
- env_var_in_list(extra_whitelist, *old, len))
- *new++ = *old;
-
- old++;
- }
- while (*new != NULL)
- *new++ = NULL;
-
-}
OpenPOWER on IntegriCloud