From f4816717823b446a007d9f8acc8fd5cf21eb7d4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 16 Feb 2018 05:21:02 +0100
Subject: [PATCH] qrexec: forbid '$' in target and service name

Those parameters eventually may eventually be passed to a shell script
(at least /usr/lib/qubes/qubes-rpc-multiplexer). While it is possible to
properly escape shell special characters, lets do safer and less fragile
thing: forbid such characters entirely.
In case of target name, qrexec policy keywords are allowed, and after
recent change, those contains '@', so allow this char.

(cherry picked from commit cf28dad1943bd424b2ed23000cdcfd32d8e3190c)
---
 qrexec/qrexec-daemon.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/qrexec/qrexec-daemon.c b/qrexec/qrexec-daemon.c
index 0cf58a1..98ab356 100644
--- a/qrexec/qrexec-daemon.c
+++ b/qrexec/qrexec-daemon.c
@@ -632,8 +632,7 @@ static void sanitize_name(char * untrusted_s_signed, char *extra_allowed_chars)
             continue;
         if (*untrusted_s >= '0' && *untrusted_s <= '9')
             continue;
-        if (*untrusted_s == '$' ||
-               *untrusted_s == '_' ||
+        if (*untrusted_s == '_' ||
                *untrusted_s == '-' ||
                *untrusted_s == '.')
             continue;
@@ -665,7 +664,7 @@ static void handle_execute_service(void)
     ENSURE_NULL_TERMINATED(untrusted_params.target_domain);
     ENSURE_NULL_TERMINATED(untrusted_params.request_id.ident);
     sanitize_name(untrusted_params.service_name, "+");
-    sanitize_name(untrusted_params.target_domain, "");
+    sanitize_name(untrusted_params.target_domain, "@");
     sanitize_name(untrusted_params.request_id.ident, " ");
     params = untrusted_params;
     /* sanitize end */