valter/dosbox-staging
1
0
Fork 0
Code Releases Activity

Allow longer commandlines in MOUNT and IMGMOUNT.

Browse source 
Fix crash reported by MiniMax (mount -u 0).
Fix bug reported by Tearex ("config -get" broken).
Add some protection that makes it harder to mount a directory from
within an executable.
Add some protection to make mounting from command /c much harder.
Add a securemode commandline switch to config and dosbox that should make it
impossible to mount a location when this isn't wanted by the user. (Addresses concerns of CVE-2007-6328)
Update documentation to reflect this.


Imported-from: https://svn.code.sf.net/p/dosbox/code-0/dosbox/trunk@3114
This commit is contained in:
Peter Veenstra 2008-03-02 11:13:47 +00:00
parent f2c40b9407
commit 3f2e4fbd83
9 changed files with 156 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

60
src/dos/dos_programs.cpp
View file

@ -16,7 +16,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/* $Id: dos_programs.cpp,v 1.82 2008-01-19 11:02:29 qbix79 Exp $ */
/* $Id: dos_programs.cpp,v 1.83 2008-03-02 11:13:46 qbix79 Exp $ */
#include "dosbox.h"
#include <stdlib.h>
@ -72,6 +72,7 @@ static void ResolveHomedir(std::string & temp_line) {
}
}
class MOUNT : public Program {
public:
void Run(void)
@ -80,11 +81,32 @@ public:
std::string label;
std::string umount;
//Hack To allow long commandlines
ChangeToLongCmd();
/* Parse the command line */
/* if the command line is empty show current mounts */
if (!cmd->GetCount()) {
WriteOut(MSG_Get("PROGRAM_MOUNT_STATUS_1"));
for (int d=0;d<DOS_DRIVES;d++) {
if (Drives[d]) {
WriteOut(MSG_Get("PROGRAM_MOUNT_STATUS_2"),d+'A',Drives[d]->GetInfo());
}
}
return;
}
/* In secure mode don't allow people to change mount points.
* Neither mount nor unmount */
if(control->SecureMode()) {
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_DISALLOW"));
return;
}
/* Check for unmounting */
if (cmd->FindString("-u",umount,false)) {
umount[0] = toupper(umount[0]);
int i_drive = umount[0]-'A';
if(i_drive < DOS_DRIVES && Drives[i_drive]) {
if(i_drive < DOS_DRIVES && i_drive >= 0 && Drives[i_drive]) {
switch (DriveManager::UnmountDrive(i_drive)) {
case 0:
Drives[i_drive] = 0;
@ -115,18 +137,6 @@ public:
return;
}
/* Parse the command line */
/* if the command line is empty show current mounts */
if (!cmd->GetCount()) {
WriteOut(MSG_Get("PROGRAM_MOUNT_STATUS_1"));
for (int d=0;d<DOS_DRIVES;d++) {
if (Drives[d]) {
WriteOut(MSG_Get("PROGRAM_MOUNT_STATUS_2"),d+'A',Drives[d]->GetInfo());
}
}
return;
}
std::string type="dir";
cmd->FindString("-t",type,true);
bool iscdrom = (type =="cdrom"); //Used for mscdex bug cdrom label name emulation
@ -492,6 +502,15 @@ private:
public:
void Run(void) {
//Hack To allow long commandlines
ChangeToLongCmd();
/* In secure mode don't allow people to boot stuff.
* They might try to corrupt the data on it */
if(control->SecureMode()) {
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_DISALLOW"));
return;
}
FILE *usefile_1=NULL;
FILE *usefile_2=NULL;
Bitu i;
@ -946,8 +965,15 @@ static void INTRO_ProgramStart(Program * * make) {
class IMGMOUNT : public Program {
public:
void Run(void)
{
void Run(void) {
//Hack To allow long commandlines
ChangeToLongCmd();
/* In secure mode don't allow people to change imgmount points.
* Neither mount nor unmount */
if(control->SecureMode()) {
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_DISALLOW"));
return;
}
DOS_Drive * newdrive;
imageDisk * newImage;
Bit32u imagesize;
@ -959,7 +985,7 @@ public:
if (cmd->FindString("-u",umount,false)) {
umount[0] = toupper(umount[0]);
int i_drive = umount[0]-'A';
if (i_drive < DOS_DRIVES && Drives[i_drive]) {
if (i_drive < DOS_DRIVES && i_drive >= 0 && Drives[i_drive]) {
switch (DriveManager::UnmountDrive(i_drive)) {
case 0:
Drives[i_drive] = 0;

36
src/misc/programs.cpp
View file

@ -16,7 +16,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/* $Id: programs.cpp,v 1.30 2008-02-10 11:14:03 qbix79 Exp $ */
/* $Id: programs.cpp,v 1.31 2008-03-02 11:13:46 qbix79 Exp $ */
#include <vector>
#include <ctype.h>
@ -106,6 +106,18 @@ Program::Program() {
cmd = new CommandLine(filename,tail.buffer);
}
extern std::string full_arguments;
void Program::ChangeToLongCmd() {
CommandLine* temp = 0;
//If command_slashc => then don't pass any parameters to the internal .COM files
if(command_slashc) temp = new CommandLine(cmd->GetFileName(),"");
else temp = new CommandLine(cmd->GetFileName(),full_arguments.c_str());
delete cmd;
cmd = temp;
full_arguments.assign(""); //Clear so it gets even more save
}
void Program::WriteOut(const char * format,...) {
char buf[2048];
va_list msg;
@ -207,6 +219,11 @@ void CONFIG::Run(void) {
FILE * f;
if (cmd->FindString("-writeconf",temp_line,true)
|| cmd->FindString("-wc",temp_line,true)) {
/* In secure mode don't allow a new configfile to be created */
if(control->SecureMode()) {
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_DISALLOW"));
return;
}
f=fopen(temp_line.c_str(),"wb+");
if (!f) {
WriteOut(MSG_Get("PROGRAM_CONFIG_FILE_ERROR"),temp_line.c_str());
@ -218,6 +235,12 @@ void CONFIG::Run(void) {
}
if (cmd->FindString("-writelang",temp_line,true)
||cmd->FindString("-wl",temp_line,true)) {
/* In secure mode don't allow a new languagefile to be created
* Who knows which kind of file we would overwriting. */
if(control->SecureMode()) {
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_DISALLOW"));
return;
}
f=fopen(temp_line.c_str(),"wb+");
if (!f) {
WriteOut(MSG_Get("PROGRAM_CONFIG_FILE_ERROR"),temp_line.c_str());
@ -228,6 +251,13 @@ void CONFIG::Run(void) {
return;
}
/* Code for switching to secure mode */
if(cmd->FindExist("-securemode",true)) {
control->SwitchToSecureMode();
WriteOut(MSG_Get("PROGRAM_CONFIG_SECURE_ON"));
return;
}
/* Code for getting the current configuration. *
* Official format: config -get "section property" *
* As a bonus it will set %CONFIG% to this value as well */
@ -250,7 +280,7 @@ void CONFIG::Run(void) {
return;
}
std::string val = sec->GetPropValue(prop.c_str());
if(val != NO_SUCH_PROPERTY) {
if(val == NO_SUCH_PROPERTY) {
WriteOut(MSG_Get("PROGRAM_CONFIG_NO_PROPERTY"),prop.c_str(),temp_line.c_str());
return;
}
@ -338,6 +368,8 @@ void PROGRAMS_Init(Section* /*sec*/) {
MSG_Add("PROGRAM_CONFIG_FILE_ERROR","Can't open file %s\n");
MSG_Add("PROGRAM_CONFIG_USAGE","Config tool:\nUse -writeconf filename to write the current config.\nUse -writelang filename to write the current language strings.\n");
MSG_Add("PROGRAM_CONFIG_SECURE_ON","Switched to secure mode.\n");
MSG_Add("PROGRAM_CONFIG_SECURE_DISALLOW","This operation is not permitted in secure mode.\n");
MSG_Add("PROGRAM_CONFIG_SECTION_ERROR","Section %s doesn't exist.\n");
MSG_Add("PROGRAM_CONFIG_PROPERTY_ERROR","No such section or property.\n");
MSG_Add("PROGRAM_CONFIG_NO_PROPERTY","There is no property %s in section %s.\n");

37
src/shell/shell.cpp
View file

@ -16,7 +16,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/* $Id: shell.cpp,v 1.88 2007-08-17 17:58:46 qbix79 Exp $ */
/* $Id: shell.cpp,v 1.89 2008-03-02 11:13:47 qbix79 Exp $ */
#include <stdlib.h>
#include <stdarg.h>
@ -28,6 +28,7 @@
#include "callback.h"
#include "support.h"
Bitu call_shellstop;
/* Larger scope so shell_del autoexec can use it to
* remove things from the environment */
@ -278,16 +279,22 @@ void DOS_Shell::RunInternal(void)
return;
}
bool command_slashc = false;
void DOS_Shell::Run(void) {
char input_line[CMD_MAXLINE] = {0};
std::string line;
if (cmd->FindStringRemain("/C",line)) {
//command_slashc indicates that the following commands are run with command /c. Forbid parameters to mount.
//command_allready_set prevents against command /c "command /c command"
bool command_allready_set = command_slashc;
command_slashc = true;
strcpy(input_line,line.c_str());
DOS_Shell temp;
temp.echo = echo;
temp.ParseLine(input_line); //for *.exe *.com |*.bat creates the bf needed by runinternal;
temp.RunInternal(); // exits when no bf is found.
if(!command_allready_set) command_slashc = false;
return;
}
/* Start a normal shell and check for a first command init */
@ -333,7 +340,7 @@ void DOS_Shell::SyntaxError(void) {
class AUTOEXEC:public Module_base {
private:
AutoexecObject autoexec[16];
AutoexecObject autoexec[17];
AutoexecObject autoexec_echo;
public:
AUTOEXEC(Section* configuration):Module_base(configuration) {
@ -341,9 +348,12 @@ public:
std::string line;
Section_line * section=static_cast<Section_line *>(configuration);
/* add stuff from the configfile unless -noautexec is specified. */
char * extra=const_cast<char*>(section->data.c_str());
if (extra && !control->cmdline->FindExist("-noautoexec",true)) {
/* Check -securemode switch to disable mount/imgmount/boot after running autoexec.bat */
bool secure = control->cmdline->FindExist("-securemode",true);
/* add stuff from the configfile unless -noautexec or -securemode is specified. */
char * extra = const_cast<char*>(section->data.c_str());
if (extra && !secure && !control->cmdline->FindExist("-noautoexec",true)) {
/* detect if "echo off" is the first line */
bool echo_off = !strncasecmp(extra,"echo off",8);
if (!echo_off) echo_off = !strncasecmp(extra,"@echo off",9);
@ -372,7 +382,10 @@ public:
/* Check for first command being a directory or file */
char buffer[CROSS_LEN];
char cross_filesplit[2] = {CROSS_FILESPLIT , 0};
if (control->cmdline->FindCommand(1,line)) {
/* Combining -securemode and no parameter leaves you with a lovely Z:\. */
if ( !control->cmdline->FindCommand(1,line) ) {
if ( secure ) autoexec[12].Install("z:\\config.com -securemode");
} else {
struct stat test;
strcpy(buffer,line.c_str());
if (stat(buffer,&test)){
@ -384,6 +397,7 @@ public:
if (test.st_mode & S_IFDIR) {
autoexec[12].Install(std::string("MOUNT C \"") + buffer + "\"");
autoexec[13].Install("C:");
if(secure) autoexec[14].Install("z:\\config.com -securemode");
} else {
char* name = strrchr(buffer,CROSS_FILESPLIT);
if (!name) { //Only a filename
@ -401,16 +415,19 @@ public:
autoexec[13].Install("C:");
upcase(name);
if(strstr(name,".BAT") != 0) {
if(secure) autoexec[14].Install("z:\\config.com -securemode");
/* BATch files are called else exit will not work */
autoexec[14].Install(std::string("CALL ") + name);
autoexec[15].Install(std::string("CALL ") + name);
} else if((strstr(name,".IMG") != 0) || (strstr(name,".IMA") !=0)) {
//No secure mode here as boot is destructive and enabling securemode disables boot
/* Boot image files */
autoexec[14].Install(std::string("BOOT ") + name);
autoexec[15].Install(std::string("BOOT ") + name);
} else {
autoexec[14].Install(name);
if(secure) autoexec[14].Install("z:\\config.com -securemode");
autoexec[15].Install(name);
}
if(addexit) autoexec[15].Install("exit");
if(addexit) autoexec[16].Install("exit");
}
}
nomount:

9
src/shell/shell_misc.cpp
View file

@ -16,7 +16,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/* $Id: shell_misc.cpp,v 1.51 2007-08-22 11:21:28 qbix79 Exp $ */
/* $Id: shell_misc.cpp,v 1.52 2008-03-02 11:13:47 qbix79 Exp $ */
#include <stdlib.h>
#include <string.h>
@ -354,6 +354,7 @@ void DOS_Shell::InputCommand(char * line) {
if (l_completion.size()) l_completion.clear();
}
std::string full_arguments = "";
bool DOS_Shell::Execute(char * name,char * args) {
/* return true => don't check for hardware changes in do_command
* return false => check for hardware changes in do_command */
@ -438,7 +439,7 @@ bool DOS_Shell::Execute(char * name,char * args) {
if(strcasecmp(extension, ".com") !=0)
{
if(strcasecmp(extension, ".exe") !=0) return false;
}
}
/* Run the .exe or .com file from the shell */
/* Allocate some stack space for tables in physical memory */
reg_sp-=0x200;
@ -448,6 +449,10 @@ bool DOS_Shell::Execute(char * name,char * args) {
//Add a filename
RealPt file_name=RealMakeSeg(ss,reg_sp+0x20);
MEM_BlockWrite(Real2Phys(file_name),fullname,strlen(fullname)+1);
/* HACK: Store full commandline for mount and imgmount */
full_arguments.assign(line);
/* Fill the command line */
CommandTail cmdtail;
cmdtail.count = 0;