https://github.com/ThomasDickey/original-mawk/issues/49 From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Tue, 7 Nov 2017 00:41:36 -0500 Subject: [PATCH 1/2] add a -W sandbox mode This is like gawk's sandbox mode where arbitrary code execution and file redirection are locked down. This way awk can be a more secure input/output mode. --- bi_funct.c | 3 +++ init.c | 8 ++++++++ man/mawk.1 | 4 ++++ mawk.h | 2 +- scan.c | 6 ++++++ 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/bi_funct.c b/bi_funct.c index 7742308c72a5..b524ac8dac8b 100644 --- a/bi_funct.c +++ b/bi_funct.c @@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED) #ifdef HAVE_REAL_PIPES int ret_val; + if (sandbox_flag) + rt_error("'system' function not allowed in sandbox mode"); + TRACE_FUNC("bi_system", sp); if (sp->type < C_STRING) diff --git a/init.c b/init.c index 0ab17b003f20..f7babb337e04 100644 --- a/init.c +++ b/init.c @@ -40,6 +40,7 @@ typedef enum { W_RANDOM, W_SPRINTF, W_POSIX_SPACE, + W_SANDBOX, W_USAGE } W_OPTIONS; @@ -96,6 +97,7 @@ initialize(int argc, char **argv) int dump_code_flag; /* if on dump internal code */ short posix_space_flag; +short sandbox_flag; #ifdef DEBUG int dump_RE = 1; /* if on dump compiled REs */ @@ -153,6 +155,7 @@ usage(void) " -W random=number set initial random seed.", " -W sprintf=number adjust size of sprintf buffer.", " -W posix_space do not consider \"\\n\" a space.", + " -W sandbox disable system() and I/O redirection.", " -W usage show this message and exit.", }; size_t n; @@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next) DATA(RANDOM), DATA(SPRINTF), DATA(POSIX_SPACE), + DATA(SANDBOX), DATA(USAGE) }; #undef DATA @@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv) posix_space_flag = 1; break; + case W_SANDBOX: + sandbox_flag = 1; + break; + case W_RANDOM: if (haveValue(optNext)) { int x = atoi(optNext + 1); diff --git a/man/mawk.1 b/man/mawk.1 index a3c794167dc9..0915d9d7ed5d 100644 --- a/man/mawk.1 +++ b/man/mawk.1 @@ -150,6 +150,10 @@ forces \fB\*n\fP not to consider '\en' to be space. .TP +\-\fBW \fRsandbox +runs in a restricted mode where system(), input redirection (e.g. getline), +output redirection (e.g. print and printf), and pipelines are disabled. +.TP \-\fBW \fRrandom=\fInum\fR calls \fBsrand\fP with the given parameter (and overrides the auto-seeding behavior). diff --git a/mawk.h b/mawk.h index 2d04be1adb34..a6ccc0071ecc 100644 --- a/mawk.h +++ b/mawk.h @@ -63,7 +63,7 @@ extern int dump_RE; #define USE_BINMODE 0 #endif -extern short posix_space_flag, interactive_flag; +extern short posix_space_flag, interactive_flag, sandbox_flag; /*---------------- * GLOBAL VARIABLES diff --git a/scan.c b/scan.c index 3a8fc9181ab8..c1833b8b7315 100644 --- a/scan.c +++ b/scan.c @@ -455,6 +455,8 @@ yylex(void) un_next(); if (getline_flag) { + if (sandbox_flag) + rt_error("redirection not allowed in sandbox mode"); getline_flag = 0; ct_ret(IO_IN); } else @@ -462,6 +464,8 @@ yylex(void) case SC_GT: /* '>' */ if (print_flag && paren_cnt == 0) { + if (sandbox_flag) + rt_error("redirection not allowed in sandbox mode"); print_flag = 0; /* there are 3 types of IO_OUT -- build the error string in string_buff */ @@ -488,6 +492,8 @@ yylex(void) un_next(); if (print_flag && paren_cnt == 0) { + if (sandbox_flag) + rt_error("pipe execution not allowed in sandbox mode"); print_flag = 0; yylval.ival = PIPE_OUT; string_buff[0] = '|'; -- 2.13.5