diff options
author | Nick Kralevich | 2013-09-13 19:21:28 -0500 |
---|---|---|
committer | Nick Kralevich | 2013-09-16 11:05:29 -0500 |
commit | 694636142113d91c2b9585ad28e143d4ff001584 (patch) | |
tree | 386eb400e2df5473c5d9484bd6b1b0e0d7ed5fa2 | |
parent | 53dc297dd685aa7498203fddb3f85e60f2cbc7df (diff) | |
download | platform-system-core-694636142113d91c2b9585ad28e143d4ff001584.tar.gz platform-system-core-694636142113d91c2b9585ad28e143d4ff001584.tar.xz platform-system-core-694636142113d91c2b9585ad28e143d4ff001584.zip |
property_service: better validate property names
Don't allow unexpected characters in property names.
Don't allow double dots in property names.
Bug: 10733330
Change-Id: I8d69740d697efb791f2f201f90989576e13bac81
-rw-r--r-- | init/property_service.c | 41 |
1 files changed, 37 insertions, 4 deletions
diff --git a/init/property_service.c b/init/property_service.c index 9afc7569a..9ac278169 100644 --- a/init/property_service.c +++ b/init/property_service.c | |||
@@ -276,6 +276,34 @@ static void write_persistent_property(const char *name, const char *value) | |||
276 | } | 276 | } |
277 | } | 277 | } |
278 | 278 | ||
279 | static bool is_legal_property_name(const char* name, size_t namelen) | ||
280 | { | ||
281 | size_t i; | ||
282 | bool previous_was_dot = false; | ||
283 | if (namelen >= PROP_NAME_MAX) return false; | ||
284 | if (namelen < 1) return false; | ||
285 | if (name[0] == '.') return false; | ||
286 | if (name[namelen - 1] == '.') return false; | ||
287 | |||
288 | /* Only allow alphanumeric, plus '.', '-', or '_' */ | ||
289 | /* Don't allow ".." to appear in a property name */ | ||
290 | for (i = 0; i < namelen; i++) { | ||
291 | if (name[i] == '.') { | ||
292 | if (previous_was_dot == true) return false; | ||
293 | previous_was_dot = true; | ||
294 | continue; | ||
295 | } | ||
296 | previous_was_dot = false; | ||
297 | if (name[i] == '_' || name[i] == '-') continue; | ||
298 | if (name[i] >= 'a' && name[i] <= 'z') continue; | ||
299 | if (name[i] >= 'A' && name[i] <= 'Z') continue; | ||
300 | if (name[i] >= '0' && name[i] <= '9') continue; | ||
301 | return false; | ||
302 | } | ||
303 | |||
304 | return true; | ||
305 | } | ||
306 | |||
279 | int property_set(const char *name, const char *value) | 307 | int property_set(const char *name, const char *value) |
280 | { | 308 | { |
281 | prop_info *pi; | 309 | prop_info *pi; |
@@ -284,9 +312,8 @@ int property_set(const char *name, const char *value) | |||
284 | size_t namelen = strlen(name); | 312 | size_t namelen = strlen(name); |
285 | size_t valuelen = strlen(value); | 313 | size_t valuelen = strlen(value); |
286 | 314 | ||
287 | if(namelen >= PROP_NAME_MAX) return -1; | 315 | if (!is_legal_property_name(name, namelen)) return -1; |
288 | if(valuelen >= PROP_VALUE_MAX) return -1; | 316 | if (valuelen >= PROP_VALUE_MAX) return -1; |
289 | if(namelen < 1) return -1; | ||
290 | 317 | ||
291 | pi = (prop_info*) __system_property_find(name); | 318 | pi = (prop_info*) __system_property_find(name); |
292 | 319 | ||
@@ -298,7 +325,7 @@ int property_set(const char *name, const char *value) | |||
298 | } else { | 325 | } else { |
299 | ret = __system_property_add(name, namelen, value, valuelen); | 326 | ret = __system_property_add(name, namelen, value, valuelen); |
300 | if (ret < 0) { | 327 | if (ret < 0) { |
301 | ERROR("Failed to set '%s'='%s'", name, value); | 328 | ERROR("Failed to set '%s'='%s'\n", name, value); |
302 | return ret; | 329 | return ret; |
303 | } | 330 | } |
304 | } | 331 | } |
@@ -364,6 +391,12 @@ void handle_property_set_fd() | |||
364 | msg.name[PROP_NAME_MAX-1] = 0; | 391 | msg.name[PROP_NAME_MAX-1] = 0; |
365 | msg.value[PROP_VALUE_MAX-1] = 0; | 392 | msg.value[PROP_VALUE_MAX-1] = 0; |
366 | 393 | ||
394 | if (!is_legal_property_name(msg.name, strlen(msg.name))) { | ||
395 | ERROR("sys_prop: illegal property name. Got: \"%s\"\n", msg.name); | ||
396 | close(s); | ||
397 | return; | ||
398 | } | ||
399 | |||
367 | getpeercon(s, &source_ctx); | 400 | getpeercon(s, &source_ctx); |
368 | 401 | ||
369 | if(memcmp(msg.name,"ctl.",4) == 0) { | 402 | if(memcmp(msg.name,"ctl.",4) == 0) { |