QubesOS/qubes-core-admin-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

regexp fixes and validation (#829)

Browse Source
This commit is contained in:
Wojciech Zygmunt Porczyk 2014-05-19 13:36:02 +02:00
parent 38b1845e97
commit 66234f41ee
2 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
appmenus-scripts/qubes-receive-appmenus
View File

@ -1,4 +1,5 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*-
# #
# The Qubes OS Project, http://www.qubes-os.org # The Qubes OS Project, http://www.qubes-os.org
# #
@ -24,8 +25,9 @@ import subprocess
import re import re
import os import os
import sys import sys
import fnmatch
import shutil import shutil
import pipes
from optparse import OptionParser from optparse import OptionParser
from qubes.qubes import QubesVmCollection,QubesException,system_path from qubes.qubes import QubesVmCollection,QubesException,system_path
from qubes.qubes import QubesHVm from qubes.qubes import QubesHVm
@ -46,7 +48,7 @@ fields_regexp = {
"GenericName": std_re, "GenericName": std_re,
"Comment": std_re, "Comment": std_re,
"Categories": re.compile(r"^[a-zA-Z0-9/.;:'() -]*$"), "Categories": re.compile(r"^[a-zA-Z0-9/.;:'() -]*$"),
"Exec": re.compile(r"^[a-zA-Z0-9()%&>/{}\"\\:.= -]*$"), "Exec": re.compile(r"^[a-zA-Z0-9()%&>/{}\"'\\:.= -]*$"),
"Icon": re.compile(r"^[a-zA-Z0-9/_.-]*$"), "Icon": re.compile(r"^[a-zA-Z0-9/_.-]*$"),
} }
@ -144,8 +146,17 @@ def get_appmenus(vm):
untrusted_m = line_rx.search(untrusted_line) untrusted_m = line_rx.search(untrusted_line)
if untrusted_m: if untrusted_m:
filename = untrusted_m.group(1) filename = untrusted_m.group(1)
assert '/' not in filename
assert '\0' not in filename
untrusted_key = untrusted_m.group(2) untrusted_key = untrusted_m.group(2)
assert '\0' not in untrusted_key
assert '\x1b' not in untrusted_key
assert '=' not in untrusted_key
untrusted_value = untrusted_m.group(3) untrusted_value = untrusted_m.group(3)
# TODO add key-dependent asserts
# Look only at predefined keys # Look only at predefined keys
if fields_regexp.has_key(untrusted_key): if fields_regexp.has_key(untrusted_key):
if fields_regexp[untrusted_key].match(untrusted_value): if fields_regexp[untrusted_key].match(untrusted_value):
@ -161,14 +172,13 @@ def get_appmenus(vm):
appmenus[filename][key]=value appmenus[filename][key]=value
else: else:
print >>sys.stderr, "Warning: ignoring key %s of %s" % (untrusted_key, filename) print >>sys.stderr, "Warning: ignoring key %r of %s" % (untrusted_key, filename)
# else: ignore this key # else: ignore this key
return appmenus return appmenus
def create_template(path, values): def create_template(path, values):
# check if all required fields are present # check if all required fields are present
for key in required_fields: for key in required_fields:
if not values.has_key(key): if not values.has_key(key):
@ -197,12 +207,11 @@ def create_template(path, values):
if values.has_key(key): if values.has_key(key):
desktop_file.write("{0}={1}\n".format(key, values[key])) desktop_file.write("{0}={1}\n".format(key, values[key]))
desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% '{0}'\n".format(values['Exec'])) desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% {0}\n".format(pipes.quote(values['Exec'])))
desktop_file.close() desktop_file.close()
def main(): def main():
env_vmname = os.environ.get("QREXEC_REMOTE_DOMAIN") env_vmname = os.environ.get("QREXEC_REMOTE_DOMAIN")
usage = "usage: %prog [options] <vm-name>\n"\ usage = "usage: %prog [options] <vm-name>\n"\
"Updates desktop file templates for given StandaloneVM or TemplateVM" "Updates desktop file templates for given StandaloneVM or TemplateVM"
@ -301,7 +310,7 @@ def main():
if options.verbose: if options.verbose:
print >> sys.stderr, "--> Cleaning old files" print >> sys.stderr, "--> Cleaning old files"
for appmenu_file in os.listdir(vm.appmenus_templates_dir): for appmenu_file in os.listdir(vm.appmenus_templates_dir):
if not fnmatch.fnmatch(appmenu_file, '*.desktop'): if not appmenu_file.endswith('.desktop'):
continue continue
if not new_appmenus.has_key(appmenu_file): if not new_appmenus.has_key(appmenu_file):

6
dom0-updates/qubes-receive-updates
View File

@ -39,7 +39,7 @@ comps_file = None
if os.path.exists('/usr/share/qubes/Qubes-comps.xml'): if os.path.exists('/usr/share/qubes/Qubes-comps.xml'):
comps_file = '/usr/share/qubes/Qubes-comps.xml' comps_file = '/usr/share/qubes/Qubes-comps.xml'
package_regex = re.compile(r"^[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._+-]{1,128}.rpm$") package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}.rpm$")
gpg_ok_regex = re.compile(r"pgp md5 OK$") gpg_ok_regex = re.compile(r"pgp md5 OK$")
def dom0updates_fatal(pkg, msg): def dom0updates_fatal(pkg, msg):
@ -76,6 +76,10 @@ def handle_dom0updates(updatevm):
dom0updates_fatal(updates_rpm_dir + '/' + untrusted_f, 'Domain ' + source + ' sent unexpected file: ' + untrusted_f) dom0updates_fatal(updates_rpm_dir + '/' + untrusted_f, 'Domain ' + source + ' sent unexpected file: ' + untrusted_f)
else: else:
f = untrusted_f f = untrusted_f
assert '/' not in f
assert '\0' not in f
assert '\x1b' not in f
full_path = updates_rpm_dir + "/" + f full_path = updates_rpm_dir + "/" + f
if os.path.islink(full_path) or not os.path.isfile(full_path): if os.path.islink(full_path) or not os.path.isfile(full_path):
dom0updates_fatal(full_path, 'Domain ' + source + ' sent not regular file') dom0updates_fatal(full_path, 'Domain ' + source + ' sent not regular file')