Avoid redundantly validating symbolic link names

qubes_pure_validate_symbolic_link() validates both the symlink path and target, so validating the path with a separate qubes_pure_validate_file_name() call is unnecessary. (cherry picked from commit 2a0da19)
QubesOS · Jun 22, 2024 · be7940c · be7940c
1 parent 8db9b67
commit be7940c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/qrexec-lib/unpack.c b/qrexec-lib/unpack.c
@@ -298,8 +298,6 @@ static void process_one_file_link(struct file_header *untrusted_hdr,
     const char *last_segment;
     char *path_dup;
     unsigned int filelen;
-    if (!qubes_pure_validate_file_name((const uint8_t *)untrusted_name))
-        do_exit(EILSEQ, untrusted_name); /* FIXME: better error message */
     int safe_dirfd;
     if (untrusted_hdr->filelen > MAX_PATH_LENGTH - 1)
         do_exit(ENAMETOOLONG, untrusted_name);
@@ -312,6 +310,7 @@ static void process_one_file_link(struct file_header *untrusted_hdr,
         do_exit(LEGAL_EOF, untrusted_name); // hopefully remote has produced error message
     untrusted_content[filelen] = 0;
     /*
+     * Sanitize both the path of the symbolic link and its target.
      * Ensure that no immediate subdirectory of ~/QubesIncoming/VMNAME
      * may have symlinks that point out of it.
      */

diff --git a/qrexec-lib/validator-test.c b/qrexec-lib/validator-test.c
@@ -118,6 +118,8 @@ int main(int argc, char **argv)
     assert(qubes_pure_validate_symbolic_link((const uint8_t *)"a/b/c", (const uint8_t *)".."));
     // Symlinks may end in "/".
     assert(qubes_pure_validate_symbolic_link((const uint8_t *)"a/b/c", (const uint8_t *)"a/"));
+    // Symlinks reject invalid paths.
+    assert(!qubes_pure_validate_symbolic_link((const uint8_t *)"..", (const uint8_t *)"a/"));
 
     // Greek letters are safe
     assert(qubes_pure_validate_file_name((uint8_t *)u8"\u03b2.txt"));