Changeset 20020 in vbox for trunk/src/VBox/HostServices/SharedFolders

Timestamp:

May 26, 2009 10:06:21 AM (16 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

47743

Message:

shared folders: prevent the guest to access parent directories

File:

• trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp (modified) (4 diffs)

trunk/src/VBox/HostServices/SharedFolders/vbsf.cpp

@@ -178 +178 @@
 }
 
+static int vbsfPathCheck(const char *pUtf8Path, size_t cbPath)
+{
+    int rc = VINF_SUCCESS;
+
+    /* The pUtf8Path is what the guest sent. Verify that the path is within the root.
+     * Count '..' and other path components and check that we do not go over the root.
+     */
+
+    size_t i = 0;
+    int cComponents = 0; /* How many normal path components. */
+    int cParentDirs = 0; /* How many '..' components. */
+
+    for (;;)
+    {
+        /* Skip leading path delimiters. */
+        while (   i < cbPath
+               && (pUtf8Path[i] == '\\' || pUtf8Path[i] == '/'))
+            i++;
+
+        if (i >= cbPath)
+            break;
+
+        /* Check if that is a dot component. */
+        int cDots = 0;
+        while (i < cbPath && pUtf8Path[i] == '.')
+        {
+            cDots++;
+            i++;
+        }
+
+        if (   cDots >= 2 /* Consider all multidots sequences as a 'parent dir'. */
+            && (i >= cbPath || (pUtf8Path[i] == '\\' || pUtf8Path[i] == '/')))
+        {
+            cParentDirs++;
+        }
+        else if (   cDots == 1
+                 && (i >= cbPath || (pUtf8Path[i] == '\\' || pUtf8Path[i] == '/')))
+        {
+            /* Single dot, nothing changes. */
+        }
+        else
+        {
+            /* Skip this component. */
+            while (   i < cbPath
+                   && (pUtf8Path[i] != '\\' && pUtf8Path[i] != '/'))
+                i++;
+
+            cComponents++;
+        }
+
+        Assert(i >= cbPath || (pUtf8Path[i] == '\\' || pUtf8Path[i] == '/'));
+
+        /* Verify counters for every component. */
+        if (cParentDirs > cComponents)
+        {
+            rc = VERR_INVALID_NAME;
+            break;
+        }
+    }
+
+    return rc;
+}
+
 static int vbsfBuildFullPath (SHFLCLIENTDATA *pClient, SHFLROOT root, SHFLSTRING *pPath,
                               uint32_t cbPath, char **ppszFullPath, uint32_t *pcbFullPathRoot, bool fWildCard = false)
@@ -200 +263 @@
         char *utf8Root;
 
-        rc = RTUtf16ToUtf8 (pwszRoot, &utf8Root);
+        /* Verify that the path is under the root directory. */
+        rc = vbsfPathCheck((char *)&pPath->String.utf8[0], pPath->u16Length);
+
+        if (RT_SUCCESS (rc))
+        {
+            rc = RTUtf16ToUtf8 (pwszRoot, &utf8Root);
+        }
+
         if (RT_SUCCESS (rc))
         {
@@ -345 +415 @@
                     AssertFailed();
 #ifdef RT_OS_DARWIN
-                        RTMemFree(pPath);
-                        pPath = pPathParameter;
+                    RTMemFree(pPath);
+                    pPath = pPathParameter;
 #endif
                     return rc;
@@ -352 +422 @@
 
                 uint32_t l = (uint32_t)strlen (dst);
+
+                /* Verify that the path is under the root directory. */
+                rc = vbsfPathCheck(dst, l);
+
+                if (RT_FAILURE(rc))
+                {
+#ifdef RT_OS_DARWIN
+                    RTMemFree(pPath);
+                    pPath = pPathParameter;
+#endif
+                    return rc;
+                }
 
                 cb -= l;