/[smeserver]/rpms/e-smith-lib/sme9/e-smith-lib-2.4.0-untaint_nic_names.patch
ViewVC logotype

Contents of /rpms/e-smith-lib/sme9/e-smith-lib-2.4.0-untaint_nic_names.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Mar 5 21:28:24 2013 UTC (11 years, 8 months ago) by vip-ire
Branch: MAIN
CVS Tags: e-smith-lib-2_4_0-18_el6_sme, e-smith-lib-2_4_0-9_el6_sme, e-smith-lib-2_4_0-11_el6_sme, e-smith-lib-2_4_0-12_el6_sme, e-smith-lib-2_4_0-7_el6_sme, e-smith-lib-2_4_0-6_el6_sme, e-smith-lib-2_4_0-17_el6_sme, e-smith-lib-2_4_0-15_el6_sme, e-smith-lib-2_4_0-16_el6_sme, e-smith-lib-2_4_0-13_el6_sme, e-smith-lib-2_4_0-14_el6_sme, e-smith-lib-2_4_0-8_el6_sme, e-smith-lib-2_4_0-5_el6_sme, e-smith-lib-2_4_0-10_el6_sme, HEAD
* Tue Mar 5 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-5.sme
- Untaint variable in probeAdapters() [SME: 7416]

1 diff -Nur e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm
2 --- e-smith-lib-2.4.0/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm 2013-03-04 11:33:43.173652411 +0100
3 +++ e-smith-lib-2.4.0-untaint_nic_names/root/usr/share/perl5/vendor_perl/esmith/ethernet.pm 2013-03-05 19:03:04.929704906 +0100
4 @@ -44,6 +44,9 @@
5 my $adapters = '';
6 my $index = 1;
7 foreach my $nic (@nics){
8 + # Untaint $nic and makes sure the name looks OK
9 + next unless ($nic =~ m/^(\w+[\.:]?\d+)$/);
10 + $nic = $1;
11 next if (
12 # skip loopback
13 $nic eq 'lo' ||
14 @@ -67,6 +70,9 @@
15 open HW, "/sys/class/net/$nic/address";
16 my $mac = join("", <HW>);
17 close HW;
18 + # Check MAC Addr and untaint it
19 + next unless ($mac =~ m/^(([\da-f]{2}:){5}[\da-f]{2})$/i);
20 + $mac = $1;
21 # If the device is a slave of a bridge, it's real MAC
22 # address can be found in /proc/net/bonding/bondX
23 if (-l "/sys/class/net/$nic/master"){
24 @@ -82,14 +88,21 @@
25 }
26 chomp($mac);
27 my $driver = basename (readlink "/sys/class/net/$nic/device/driver");
28 + # Untaint driver name
29 + next unless ($driver =~ m/^([\w\-]+)$/);
30 + $driver = $1;
31 my $bus = basename (readlink "/sys/class/net/$nic/device/subsystem");
32 my $desc = $nic;
33 if ($bus eq 'pci'){
34 my $dev = basename (readlink "/sys/class/net/$nic/device");
35 - $desc = `/sbin/lspci -s $dev`;
36 - # Extract only description
37 - $desc =~ m/^.*:.*:\s+(.*)\s*/;
38 - $desc = $1;
39 + # Untaint $dev
40 + if ($dev =~ m/^(\d+:\d+:\d+\.\d+)$/){
41 + $dev = $1;
42 + $desc = `/sbin/lspci -s $dev`;
43 + # Extract only description
44 + $desc =~ m/^.*:.*:\s+(.*)\s*/;
45 + $desc = $1;
46 + }
47 }
48 elsif ($bus eq 'virtio'){
49 $desc = 'Virtio Network Device';

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed