Fix: forbid session name creation if contains /

This adds a validation function for session name which for now denies
any session name containing '/'.

This is in response of bug #721 that actually uses a path as a session
name such as "test/../session1" which would then be concatenated to the
session path adding a relative path to it making this a serious security
issue.

Because of this issue, this is backported from master up to stable-2.3.

Fixes #721

Signed-off-by: David Goulet <dgoulet@efficios.com>

diff --git a/doc/man/lttng.1 b/doc/man/lttng.1
index 0f9cd9c516b3a3fbc4955643ab1e6e4885babc61..f97452ed8939210d295221d62d4e3764a8f0534b 100644 (file)
--- a/doc/man/lttng.1
+++ b/doc/man/lttng.1
@@ -233,6 +233,8 @@ The $HOME environment variable can be overridden by defining the environment
 variable LTTNG_HOME. This is useful when the user running the commands has
 a non-writeable home directory.
 
+The session name MUST NOT contain the character '/'.
+
 .B OPTIONS:
 
 .TP

diff --git a/include/lttng/lttng-error.h b/include/lttng/lttng-error.h
index a94fcd69747775d0faded80ec0d4b23e1392c9ed..db0a11ffab3863be1f386c986b1d5179a7d3da6f 100644 (file)
--- a/include/lttng/lttng-error.h
+++ b/include/lttng/lttng-error.h
@@ -103,7 +103,7 @@ enum lttng_error_code {
        LTTNG_ERR_UST_STREAM_FAIL        = 70,  /* UST create stream failed */
        LTTNG_ERR_SNAPSHOT_NODATA        = 71,  /* No data in snapshot. */
        LTTNG_ERR_NO_CHANNEL             = 72,  /* No channel found in the session. */
-       /* 73 */
+       LTTNG_ERR_SESSION_INVALID_CHAR   = 73,  /* Invalid characters found in session name. */
        LTTNG_ERR_UST_LIST_FAIL          = 74,  /* UST listing events failed */
        LTTNG_ERR_UST_EVENT_EXIST        = 75,  /* UST event exist */
        LTTNG_ERR_UST_EVENT_NOT_FOUND    = 76,  /* UST event not found */

diff --git a/src/bin/lttng-sessiond/session.c b/src/bin/lttng-sessiond/session.c
index a777b041428443fe856b4e7613920a377e7b494f..def0e9c6f38c75e8bc132887927071fb88acd3cb 100644 (file)
--- a/src/bin/lttng-sessiond/session.c
+++ b/src/bin/lttng-sessiond/session.c
@@ -49,6 +49,42 @@ static struct ltt_session_list ltt_session_list = {
        .next_uuid = 0,
 };
 
+/* These characters are forbidden in a session name. Used by validate_name. */
+static const char *forbidden_name_chars = "/";
+
+/*
+ * Validate the session name for forbidden characters.
+ *
+ * Return 0 on success else -1 meaning a forbidden char. has been found.
+ */
+static int validate_name(const char *name)
+{
+       int ret;
+       char *tok, *tmp_name;
+
+       assert(name);
+
+       tmp_name = strdup(name);
+       if (!tmp_name) {
+               /* ENOMEM here. */
+               ret = -1;
+               goto error;
+       }
+
+       tok = strpbrk(tmp_name, forbidden_name_chars);
+       if (tok) {
+               DBG("Session name %s contains a forbidden character", name);
+               /* Forbidden character has been found. */
+               ret = -1;
+               goto error;
+       }
+       ret = 0;
+
+error:
+       free(tmp_name);
+       return ret;
+}
+
 /*
  * Add a ltt_session structure to the global list.
  *
@@ -194,6 +230,12 @@ int session_create(char *name, uid_t uid, gid_t gid)
                goto error;
        }
 
+       ret = validate_name(name);
+       if (ret < 0) {
+               ret = LTTNG_ERR_SESSION_INVALID_CHAR;
+               goto error;
+       }
+
        /* Init kernel session */
        new_session->kernel_session = NULL;
        new_session->ust_session = NULL;

diff --git a/src/common/error.c b/src/common/error.c
index 6c5aca65b40888aaf18d17d3aa9cf70c49a41736..34daa4ca0c13eb2eb131e419eff2cecacbd6f558 100644 (file)
--- a/src/common/error.c
+++ b/src/common/error.c
@@ -115,6 +115,7 @@ static const char *error_string_array[] = {
        [ ERROR_INDEX(LTTNG_ERR_SNAPSHOT_FAIL) ] = "Snapshot record failed",
        [ ERROR_INDEX(LTTNG_ERR_SNAPSHOT_NODATA) ] = "No data available in snapshot",
        [ ERROR_INDEX(LTTNG_ERR_NO_CHANNEL) ] = "No channel found in the session",
+       [ ERROR_INDEX(LTTNG_ERR_SESSION_INVALID_CHAR) ] = "Invalid character found in session name",
 
        /* Last element */
        [ ERROR_INDEX(LTTNG_ERR_NR) ] = "Unknown error code"