vlserver: limit use of regex to admins always
authorD Brashear <shadow@your-file-system.com>
Fri, 18 Jul 2014 20:00:12 +0000 (16:00 -0400)
committerJeffrey Altman <jaltman@your-file-system.com>
Wed, 5 Aug 2015 14:44:48 +0000 (10:44 -0400)
allow regexes only if the querying user is a superuser.
if the superuser uses up all the resources, well, they could just do
whatever damage directly anyway. means even in unrestricted mode
we are not vulnerable

Change-Id: Ib35d649f31e752ba5ae8373a06b67ea76f97425c
Reviewed-on: http://gerrit.openafs.org/11968
Reviewed-by: Daria Brashear <shadow@your-file-system.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

src/vlserver/vlprocs.c

index f69ba58..6a72c94 100644 (file)
@@ -1729,6 +1729,10 @@ ListAttributesN2(struct rx_call *rxcall,
        findpartition = ((attributes->Mask & VLLIST_PARTITION) ? 1 : 0);
        findflag = ((attributes->Mask & VLLIST_FLAG) ? 1 : 0);
        if (name && (strcmp(name, ".*") != 0) && (strcmp(name, "") != 0)) {
+           if (!afsconf_SuperUser(vldb_confdir, rxcall, NULL)) {
+               code = VL_PERM;
+               goto done;
+           }
            sprintf(volumename, "^%s$", name);
 #ifdef HAVE_POSIX_REGEX
            if (regcomp(&re, volumename, REG_NOSUB) != 0) {