From nobody Tue Aug 5 11:51:54 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxBbt4JJQz64N9V; Tue, 05 Aug 2025 11:51:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxBbt2Xh0z3sWQ; Tue, 05 Aug 2025 11:51:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754394714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dc/0I0F8zAP0Aun7Bdcfb8sTFeiHxlmUVdOVXd1+dhA=; b=Soyf3A4ejD3ryUS+Y2mJ9m8lgxa6mjWO+UpO+Xy0UQzbO85Xx1POuHrTSG+7/q9zS7LRJ+ eLz4JvCiP72DpdKLRjlhL+AGj97iEgoxXtG33B/mOsDGzstftC4SmtbCV0Wc8yaVBWp42D M5StlJJksitcYKmO37ZY/9bqmfFeJZQKa/9Aey62aihnOIdAaQ1xApizOO/fh6DxlYPtRF bMGVCYA/Ohx61ZadY+lJajwsNZKAJDSWz6fdLPkNEaCG8IJbhl1bIXbbktfjBF/CzxKa8V tM3A1mcDMTyVj4pLK/WrO6HIvjxIR5cEZ6GswcPGy2xpnJZuXf22SyKB7+VqfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754394714; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dc/0I0F8zAP0Aun7Bdcfb8sTFeiHxlmUVdOVXd1+dhA=; b=fGwWLZJJz4Zsr7zPDxSoMHnyzPGVVk0eSFs2p7Gz99qY/3zSS7c5jyHCscS5tv1lpElCYw h+8IA41kTB5oGPDHOGuEfBAb1gPt/q7PRowP5wpnQu7d79RCLW3X8Yt2PQNPIVlVOWMvQg yVfHZpvRJntwdXEVNFAQKI7k7uMPSS/F8SVkA/LYQwqdMtb6EIobChsbPB6kUVncGjcpDQ j8GtwCwUkGKXhxAea+I8HFhF4ohz6pwMhSTrTenxjfWYrA+LQ06BkGpjuRFHowrj6uzX3R VY9pXYU8GMNsspTZcEL2aS1C2sKFxO/LoGGZXs7FuxB0W9bcspE8qYDnUogDmw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754394714; a=rsa-sha256; cv=none; b=sJNQe67OUqTnwBdvrgCOfUYLvSCmNxLu9RFDeUBKBl8TcCHgo5yWgYqzyYD28U9kaTJdT2 VW/IpjUHFiJGYI2k7rayQJjy7fnJCSp7uH41HmLopuMl21cEdSeuQqA38McvA+gp9fcE+h 1a57t5DjOpWV9jojMc4IA0fYc/AKxHadSiFkrtG5T+p5Gy332XhMChQ+9qAzSzcxvrtm/g x/Up8ZpE0hjIJCnQgnChngJZz3TfPyR5BcIPKCMYC+80Qkt1ao5bLqzTmLll2cRIBqN7ar d7vJweKwefAOUh4EJzO9g/eqvBZLmxTd4fhLJoGPBq2E02Xx3nIX6PtdcDgGfA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxBbt25BLzZX7; Tue, 05 Aug 2025 11:51:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 575BpsR0023973; Tue, 5 Aug 2025 11:51:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 575BpsZW023959; Tue, 5 Aug 2025 11:51:54 GMT (envelope-from git) Date: Tue, 5 Aug 2025 11:51:54 GMT Message-Id: <202508051151.575BpsZW023959@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 4406fe5f2203 - stable/14 - comsat: Don't read arbitrary files List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 4406fe5f220357223978de58d3c1f9847dfa9d1b Auto-Submitted: auto-generated The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=4406fe5f220357223978de58d3c1f9847dfa9d1b commit 4406fe5f220357223978de58d3c1f9847dfa9d1b Author: Dag-Erling Smørgrav AuthorDate: 2025-07-28 15:28:26 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-08-05 09:30:02 +0000 comsat: Don't read arbitrary files When processing a notification, instead of accepting any file name that doesn't begin with a slash, accept only file names that don't contain any slashes at all. This makes it possible to notify a user about a mailbox that doesn't bear their name, as long as they are permitted to read it, but prevents comsat from reading files outside the mail spool. PR: 270404 MFC after: 1 week Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D51580 (cherry picked from commit 4a4338d94401f0012380d4f1a4d332bd6d44fa8e) --- libexec/comsat/comsat.c | 38 +++++++++++++------------------------- 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/libexec/comsat/comsat.c b/libexec/comsat/comsat.c index 2358336be61a..294e725b4e37 100644 --- a/libexec/comsat/comsat.c +++ b/libexec/comsat/comsat.c @@ -125,29 +125,24 @@ mailfor(char *name) char *file; off_t offset; int folder; - char buf[sizeof(_PATH_MAILDIR) + sizeof(utp->ut_user) + 1]; - char buf2[sizeof(_PATH_MAILDIR) + sizeof(utp->ut_user) + 1]; + char buf[MAXPATHLEN]; - if (!(cp = strchr(name, '@'))) + if ((cp = strchr(name, '@')) == NULL) return; *cp = '\0'; offset = strtoll(cp + 1, NULL, 10); - if (!(cp = strchr(cp + 1, ':'))) - file = name; - else - file = cp + 1; - sprintf(buf, "%s/%.*s", _PATH_MAILDIR, (int)sizeof(utp->ut_user), - name); - if (*file != '/') { - sprintf(buf2, "%s/%.*s", _PATH_MAILDIR, - (int)sizeof(utp->ut_user), file); - file = buf2; + if ((cp = strchr(cp + 1, ':')) != NULL && + strchr((file = cp + 1), '/') == NULL) { + snprintf(buf, sizeof(buf), "%s/%s", _PATH_MAILDIR, file); + folder = 1; + } else { + snprintf(buf, sizeof(buf), "%s/%s", _PATH_MAILDIR, name); + folder = 0; } - folder = strcmp(buf, file); setutxent(); while ((utp = getutxent()) != NULL) if (utp->ut_type == USER_PROCESS && !strcmp(utp->ut_user, name)) - notify(utp, file, offset, folder); + notify(utp, buf, offset, folder); endutxent(); } @@ -171,8 +166,7 @@ notify(struct utmpx *utp, char file[], off_t offset, int folder) utp->ut_line); return; } - (void)snprintf(tty, sizeof(tty), "%s%.*s", - _PATH_DEV, (int)sizeof(utp->ut_line), utp->ut_line); + (void)snprintf(tty, sizeof(tty), "%s%s", _PATH_DEV, utp->ut_line); if (stat(tty, &stb) == -1 || !(stb.st_mode & (S_IXUSR | S_IXGRP))) { dsyslog(LOG_DEBUG, "%s: wrong mode on %s", utp->ut_user, tty); return; @@ -201,24 +195,18 @@ notify(struct utmpx *utp, char file[], off_t offset, int folder) setuid(p->pw_uid) == -1) return; - switch (stb.st_mode & (S_IXUSR | S_IXGRP)) { - case S_IXUSR: - case (S_IXUSR | S_IXGRP): + if (stb.st_mode & S_IXUSR) { (void)fprintf(tp, "%s\007New mail for %s@%.*s\007 has arrived%s%s%s:%s----%s", cr, utp->ut_user, (int)sizeof(hostname), hostname, folder ? cr : "", folder ? "to " : "", folder ? file : "", cr, cr); jkfprintf(tp, file, offset); - break; - case S_IXGRP: + } else if (stb.st_mode & S_IXGRP) { (void)fprintf(tp, "\007"); (void)fflush(tp); (void)sleep(1); (void)fprintf(tp, "\007"); - break; - default: - break; } (void)fclose(tp); _exit(0);