1 | /* |
---|
2 | * security.c: Implementation of the XSLT security framework |
---|
3 | * |
---|
4 | * See Copyright for the status of this software. |
---|
5 | * |
---|
6 | * daniel@veillard.com |
---|
7 | */ |
---|
8 | |
---|
9 | #define IN_LIBXSLT |
---|
10 | #include "libxslt.h" |
---|
11 | |
---|
12 | #include <string.h> |
---|
13 | |
---|
14 | #ifdef HAVE_SYS_TYPES_H |
---|
15 | #include <sys/types.h> |
---|
16 | #endif |
---|
17 | #ifdef HAVE_SYS_STAT_H |
---|
18 | #include <sys/stat.h> |
---|
19 | #endif |
---|
20 | |
---|
21 | #ifdef HAVE_MATH_H |
---|
22 | #include <math.h> |
---|
23 | #endif |
---|
24 | #ifdef HAVE_FLOAT_H |
---|
25 | #include <float.h> |
---|
26 | #endif |
---|
27 | #ifdef HAVE_IEEEFP_H |
---|
28 | #include <ieeefp.h> |
---|
29 | #endif |
---|
30 | #ifdef HAVE_NAN_H |
---|
31 | #include <nan.h> |
---|
32 | #endif |
---|
33 | #ifdef HAVE_CTYPE_H |
---|
34 | #include <ctype.h> |
---|
35 | #endif |
---|
36 | |
---|
37 | #include <libxml/xmlmemory.h> |
---|
38 | #include <libxml/tree.h> |
---|
39 | #include <libxml/uri.h> |
---|
40 | #include "xslt.h" |
---|
41 | #include "xsltInternals.h" |
---|
42 | #include "xsltutils.h" |
---|
43 | #include "security.h" |
---|
44 | |
---|
45 | |
---|
46 | struct _xsltSecurityPrefs { |
---|
47 | xsltSecurityCheck readFile; |
---|
48 | xsltSecurityCheck createFile; |
---|
49 | xsltSecurityCheck createDir; |
---|
50 | xsltSecurityCheck readNet; |
---|
51 | xsltSecurityCheck writeNet; |
---|
52 | }; |
---|
53 | |
---|
54 | static xsltSecurityPrefsPtr xsltDefaultSecurityPrefs = NULL; |
---|
55 | |
---|
56 | /************************************************************************ |
---|
57 | * * |
---|
58 | * Module interfaces * |
---|
59 | * * |
---|
60 | ************************************************************************/ |
---|
61 | |
---|
62 | /** |
---|
63 | * xsltNewSecurityPrefs: |
---|
64 | * |
---|
65 | * Create a new security preference block |
---|
66 | * |
---|
67 | * Returns a pointer to the new block or NULL in case of error |
---|
68 | */ |
---|
69 | xsltSecurityPrefsPtr |
---|
70 | xsltNewSecurityPrefs(void) { |
---|
71 | xsltSecurityPrefsPtr ret; |
---|
72 | |
---|
73 | ret = (xsltSecurityPrefsPtr) xmlMalloc(sizeof(xsltSecurityPrefs)); |
---|
74 | if (ret == NULL) { |
---|
75 | xsltTransformError(NULL, NULL, NULL, |
---|
76 | "xsltNewSecurityPrefs : malloc failed\n"); |
---|
77 | return(NULL); |
---|
78 | } |
---|
79 | memset(ret, 0, sizeof(xsltSecurityPrefs)); |
---|
80 | return(ret); |
---|
81 | } |
---|
82 | |
---|
83 | /** |
---|
84 | * xsltFreeSecurityPrefs: |
---|
85 | * @sec: the security block to free |
---|
86 | * |
---|
87 | * Free up a security preference block |
---|
88 | */ |
---|
89 | void |
---|
90 | xsltFreeSecurityPrefs(xsltSecurityPrefsPtr sec) { |
---|
91 | if (sec == NULL) |
---|
92 | return; |
---|
93 | xmlFree(sec); |
---|
94 | } |
---|
95 | |
---|
96 | /** |
---|
97 | * xsltSetSecurityPrefs: |
---|
98 | * @sec: the security block to update |
---|
99 | * @option: the option to update |
---|
100 | * @func: the user callback to use for this option |
---|
101 | * |
---|
102 | * Update the security option to use the new callback checking function |
---|
103 | * |
---|
104 | * Returns -1 in case of error, 0 otherwise |
---|
105 | */ |
---|
106 | int |
---|
107 | xsltSetSecurityPrefs(xsltSecurityPrefsPtr sec, xsltSecurityOption option, |
---|
108 | xsltSecurityCheck func) { |
---|
109 | if (sec == NULL) |
---|
110 | return(-1); |
---|
111 | switch (option) { |
---|
112 | case XSLT_SECPREF_READ_FILE: |
---|
113 | sec->readFile = func; return(0); |
---|
114 | case XSLT_SECPREF_WRITE_FILE: |
---|
115 | sec->createFile = func; return(0); |
---|
116 | case XSLT_SECPREF_CREATE_DIRECTORY: |
---|
117 | sec->createDir = func; return(0); |
---|
118 | case XSLT_SECPREF_READ_NETWORK: |
---|
119 | sec->readNet = func; return(0); |
---|
120 | case XSLT_SECPREF_WRITE_NETWORK: |
---|
121 | sec->writeNet = func; return(0); |
---|
122 | } |
---|
123 | return(-1); |
---|
124 | } |
---|
125 | |
---|
126 | /** |
---|
127 | * xsltGetSecurityPrefs: |
---|
128 | * @sec: the security block to update |
---|
129 | * @option: the option to lookup |
---|
130 | * |
---|
131 | * Lookup the security option to get the callback checking function |
---|
132 | * |
---|
133 | * Returns NULL if not found, the function otherwise |
---|
134 | */ |
---|
135 | xsltSecurityCheck |
---|
136 | xsltGetSecurityPrefs(xsltSecurityPrefsPtr sec, xsltSecurityOption option) { |
---|
137 | if (sec == NULL) |
---|
138 | return(NULL); |
---|
139 | switch (option) { |
---|
140 | case XSLT_SECPREF_READ_FILE: |
---|
141 | return(sec->readFile); |
---|
142 | case XSLT_SECPREF_WRITE_FILE: |
---|
143 | return(sec->createFile); |
---|
144 | case XSLT_SECPREF_CREATE_DIRECTORY: |
---|
145 | return(sec->createDir); |
---|
146 | case XSLT_SECPREF_READ_NETWORK: |
---|
147 | return(sec->readNet); |
---|
148 | case XSLT_SECPREF_WRITE_NETWORK: |
---|
149 | return(sec->writeNet); |
---|
150 | } |
---|
151 | return(NULL); |
---|
152 | } |
---|
153 | |
---|
154 | /** |
---|
155 | * xsltSetDefaultSecurityPrefs: |
---|
156 | * @sec: the security block to use |
---|
157 | * |
---|
158 | * Set the default security preference application-wide |
---|
159 | */ |
---|
160 | void |
---|
161 | xsltSetDefaultSecurityPrefs(xsltSecurityPrefsPtr sec) { |
---|
162 | xsltDefaultSecurityPrefs = sec; |
---|
163 | } |
---|
164 | |
---|
165 | /** |
---|
166 | * xsltGetDefaultSecurityPrefs: |
---|
167 | * |
---|
168 | * Get the default security preference application-wide |
---|
169 | * |
---|
170 | * Returns the current xsltSecurityPrefsPtr in use or NULL if none |
---|
171 | */ |
---|
172 | xsltSecurityPrefsPtr |
---|
173 | xsltGetDefaultSecurityPrefs(void) { |
---|
174 | return(xsltDefaultSecurityPrefs); |
---|
175 | } |
---|
176 | |
---|
177 | /** |
---|
178 | * xsltSetCtxtSecurityPrefs: |
---|
179 | * @sec: the security block to use |
---|
180 | * @ctxt: an XSLT transformation context |
---|
181 | * |
---|
182 | * Set the security preference for a specific transformation |
---|
183 | * |
---|
184 | * Returns -1 in case of error, 0 otherwise |
---|
185 | */ |
---|
186 | int |
---|
187 | xsltSetCtxtSecurityPrefs(xsltSecurityPrefsPtr sec, |
---|
188 | xsltTransformContextPtr ctxt) { |
---|
189 | if (ctxt == NULL) |
---|
190 | return(-1); |
---|
191 | ctxt->sec = (void *) sec; |
---|
192 | return(0); |
---|
193 | } |
---|
194 | |
---|
195 | |
---|
196 | /** |
---|
197 | * xsltSecurityAllow: |
---|
198 | * @sec: the security block to use |
---|
199 | * @ctxt: an XSLT transformation context |
---|
200 | * @value: unused |
---|
201 | * |
---|
202 | * Function used to always allow an operation |
---|
203 | * |
---|
204 | * Returns 1 always |
---|
205 | */ |
---|
206 | int |
---|
207 | xsltSecurityAllow(xsltSecurityPrefsPtr sec ATTRIBUTE_UNUSED, |
---|
208 | xsltTransformContextPtr ctxt ATTRIBUTE_UNUSED, |
---|
209 | const char *value ATTRIBUTE_UNUSED) { |
---|
210 | return(1); |
---|
211 | } |
---|
212 | |
---|
213 | /** |
---|
214 | * xsltSecurityForbid: |
---|
215 | * @sec: the security block to use |
---|
216 | * @ctxt: an XSLT transformation context |
---|
217 | * @value: unused |
---|
218 | * |
---|
219 | * Function used to always forbid an operation |
---|
220 | * |
---|
221 | * Returns 0 always |
---|
222 | */ |
---|
223 | int |
---|
224 | xsltSecurityForbid(xsltSecurityPrefsPtr sec ATTRIBUTE_UNUSED, |
---|
225 | xsltTransformContextPtr ctxt ATTRIBUTE_UNUSED, |
---|
226 | const char *value ATTRIBUTE_UNUSED) { |
---|
227 | return(0); |
---|
228 | } |
---|
229 | |
---|
230 | /************************************************************************ |
---|
231 | * * |
---|
232 | * Internal interfaces * |
---|
233 | * * |
---|
234 | ************************************************************************/ |
---|
235 | |
---|
236 | /** |
---|
237 | * xsltCheckFilename |
---|
238 | * @path: the path to check |
---|
239 | * |
---|
240 | * function checks to see if @path is a valid source |
---|
241 | * (file, socket...) for XML. |
---|
242 | * |
---|
243 | * TODO: remove at some point !!! |
---|
244 | * Local copy of xmlCheckFilename to avoid a hard dependency on |
---|
245 | * a new version of libxml2 |
---|
246 | * |
---|
247 | * if stat is not available on the target machine, |
---|
248 | * returns 1. if stat fails, returns 0 (if calling |
---|
249 | * stat on the filename fails, it can't be right). |
---|
250 | * if stat succeeds and the file is a directory, |
---|
251 | * returns 2. otherwise returns 1. |
---|
252 | */ |
---|
253 | |
---|
254 | static int |
---|
255 | xsltCheckFilename (const char *path) |
---|
256 | { |
---|
257 | #ifdef HAVE_STAT |
---|
258 | struct stat stat_buffer; |
---|
259 | |
---|
260 | if (stat(path, &stat_buffer) == -1) |
---|
261 | return 0; |
---|
262 | |
---|
263 | #ifdef S_ISDIR |
---|
264 | if (S_ISDIR(stat_buffer.st_mode)) { |
---|
265 | return 2; |
---|
266 | } |
---|
267 | #endif |
---|
268 | #endif |
---|
269 | return 1; |
---|
270 | } |
---|
271 | |
---|
272 | /** |
---|
273 | * xsltCheckWrite: |
---|
274 | * @sec: the security options |
---|
275 | * @ctxt: an XSLT transformation context |
---|
276 | * @URL: the resource to be written |
---|
277 | * |
---|
278 | * Check if the resource is allowed to be written, if necessary makes |
---|
279 | * some preliminary work like creating directories |
---|
280 | * |
---|
281 | * Return 1 if write is allowed, 0 if not and -1 in case or error. |
---|
282 | */ |
---|
283 | int |
---|
284 | xsltCheckWrite(xsltSecurityPrefsPtr sec, |
---|
285 | xsltTransformContextPtr ctxt, const xmlChar *URL) { |
---|
286 | int ret; |
---|
287 | xmlURIPtr uri; |
---|
288 | xsltSecurityCheck check; |
---|
289 | |
---|
290 | uri = xmlParseURI((const char *)URL); |
---|
291 | if (uri == NULL) { |
---|
292 | xsltTransformError(ctxt, NULL, NULL, |
---|
293 | "xsltDocumentElem: URL parsing failed for %s\n", |
---|
294 | URL); |
---|
295 | return(-1); |
---|
296 | } |
---|
297 | if ((uri->scheme == NULL) || |
---|
298 | (xmlStrEqual(BAD_CAST uri->scheme, BAD_CAST "file"))) { |
---|
299 | char *directory; |
---|
300 | |
---|
301 | /* |
---|
302 | * Check if we are allowed to write this file |
---|
303 | */ |
---|
304 | check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_WRITE_FILE); |
---|
305 | if (check != NULL) { |
---|
306 | ret = check(sec, ctxt, uri->path); |
---|
307 | if (ret == 0) { |
---|
308 | xsltTransformError(ctxt, NULL, NULL, |
---|
309 | "File write for %s refused\n", URL); |
---|
310 | xmlFreeURI(uri); |
---|
311 | return(0); |
---|
312 | } |
---|
313 | } |
---|
314 | |
---|
315 | directory = xmlParserGetDirectory (uri->path); |
---|
316 | if (directory != NULL) { |
---|
317 | ret = xsltCheckFilename(directory); |
---|
318 | if (ret == 0) { |
---|
319 | /* |
---|
320 | * The directory doesn't exist check for creation |
---|
321 | */ |
---|
322 | check = xsltGetSecurityPrefs(sec, |
---|
323 | XSLT_SECPREF_CREATE_DIRECTORY); |
---|
324 | if (check != NULL) { |
---|
325 | ret = check(sec, ctxt, directory); |
---|
326 | if (ret == 0) { |
---|
327 | xsltTransformError(ctxt, NULL, NULL, |
---|
328 | "Directory creation for %s refused\n", |
---|
329 | URL); |
---|
330 | xmlFree(directory); |
---|
331 | xmlFreeURI(uri); |
---|
332 | return(0); |
---|
333 | } |
---|
334 | } |
---|
335 | ret = xsltCheckWrite(sec, ctxt, (const xmlChar *)directory); |
---|
336 | if (ret == 1) |
---|
337 | ret = mkdir(directory, 0755); |
---|
338 | if (ret < 0) |
---|
339 | return(ret); |
---|
340 | } |
---|
341 | xmlFree(directory); |
---|
342 | } |
---|
343 | } else { |
---|
344 | /* |
---|
345 | * Check if we are allowed to write this network resource |
---|
346 | */ |
---|
347 | check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_WRITE_NETWORK); |
---|
348 | if (check != NULL) { |
---|
349 | ret = check(sec, ctxt, uri->path); |
---|
350 | if (ret == 0) { |
---|
351 | xsltTransformError(ctxt, NULL, NULL, |
---|
352 | "File write for %s refused\n", URL); |
---|
353 | xmlFreeURI(uri); |
---|
354 | return(0); |
---|
355 | } |
---|
356 | } |
---|
357 | } |
---|
358 | xmlFreeURI(uri); |
---|
359 | return(1); |
---|
360 | } |
---|
361 | |
---|
362 | |
---|
363 | /** |
---|
364 | * xsltCheckRead: |
---|
365 | * @sec: the security options |
---|
366 | * @ctxt: an XSLT transformation context |
---|
367 | * @URL: the resource to be read |
---|
368 | * |
---|
369 | * Check if the resource is allowed to be read |
---|
370 | * |
---|
371 | * Return 1 if read is allowed, 0 if not and -1 in case or error. |
---|
372 | */ |
---|
373 | int |
---|
374 | xsltCheckRead(xsltSecurityPrefsPtr sec, |
---|
375 | xsltTransformContextPtr ctxt, const xmlChar *URL) { |
---|
376 | int ret; |
---|
377 | xmlURIPtr uri; |
---|
378 | xsltSecurityCheck check; |
---|
379 | |
---|
380 | uri = xmlParseURI((const char *)URL); |
---|
381 | if (uri == NULL) { |
---|
382 | xsltTransformError(ctxt, NULL, NULL, |
---|
383 | "xsltCheckRead: URL parsing failed for %s\n", |
---|
384 | URL); |
---|
385 | return(-1); |
---|
386 | } |
---|
387 | if ((uri->scheme == NULL) || |
---|
388 | (xmlStrEqual(BAD_CAST uri->scheme, BAD_CAST "file"))) { |
---|
389 | |
---|
390 | /* |
---|
391 | * Check if we are allowed to read this file |
---|
392 | */ |
---|
393 | check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_READ_FILE); |
---|
394 | if (check != NULL) { |
---|
395 | ret = check(sec, ctxt, uri->path); |
---|
396 | if (ret == 0) { |
---|
397 | xsltTransformError(ctxt, NULL, NULL, |
---|
398 | "Local file read for %s refused\n", URL); |
---|
399 | xmlFreeURI(uri); |
---|
400 | return(0); |
---|
401 | } |
---|
402 | } |
---|
403 | } else { |
---|
404 | /* |
---|
405 | * Check if we are allowed to write this network resource |
---|
406 | */ |
---|
407 | check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_READ_NETWORK); |
---|
408 | if (check != NULL) { |
---|
409 | ret = check(sec, ctxt, uri->path); |
---|
410 | if (ret == 0) { |
---|
411 | xsltTransformError(ctxt, NULL, NULL, |
---|
412 | "Network file read for %s refused\n", URL); |
---|
413 | xmlFreeURI(uri); |
---|
414 | return(0); |
---|
415 | } |
---|
416 | } |
---|
417 | } |
---|
418 | xmlFreeURI(uri); |
---|
419 | return(1); |
---|
420 | } |
---|
421 | |
---|