From 3cee7fbe6916098eda125bd69127b8596d997f4f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 11 Aug 2022 09:51:11 -0700
Subject: [PATCH 1/3] s3: tests: Add samba3.blackbox.test_veto_files.

Shows we currently don't look at smb.conf veto files parameter
when opening a file.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/veto_files         |   1 +
 selftest/target/Samba3.pm               |   4 +
 source3/script/tests/test_veto_files.sh | 125 ++++++++++++++++++++++++
 source3/selftest/tests.py               |   4 +
 4 files changed, 134 insertions(+)
 create mode 100644 selftest/knownfail.d/veto_files
 create mode 100755 source3/script/tests/test_veto_files.sh

diff --git a/selftest/knownfail.d/veto_files b/selftest/knownfail.d/veto_files
new file mode 100644
index 00000000000..ad7d841a033
--- /dev/null
+++ b/selftest/knownfail.d/veto_files
@@ -0,0 +1 @@
+^samba3.blackbox.test_veto_files.get_veto_file\(fileserver\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2313f6fce36..ecff6da2cec 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1914,6 +1914,10 @@ sub setup_fileserver
 	path = $veto_sharedir
 	delete veto files = yes
 
+[veto_files]
+	path = $veto_sharedir
+	veto files = /veto_name*/
+
 [delete_yes_unwrite]
 	read only = no
 	path = $delete_unwrite_sharedir
diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh
new file mode 100755
index 00000000000..d2ca3179f79
--- /dev/null
+++ b/source3/script/tests/test_veto_files.sh
@@ -0,0 +1,125 @@
+#!/bin/sh
+#
+# Check smbclient cannot get a file that matches a veto files
+# parameter, or inside a directory that matches a veto files
+# parameter.
+#
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
+#
+
+if [ $# -lt 6 ]; then
+	cat <<EOF
+Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SHAREPATH SMBCLIENT
+EOF
+	exit 1
+fi
+
+SERVER=${1}
+SERVER_IP=${2}
+USERNAME=${3}
+PASSWORD=${4}
+SHAREPATH=${5}
+SMBCLIENT=${6}
+shift 6
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+ADDARGS="$@"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+failed=0
+
+veto_file_path="$SHAREPATH/veto_name_file"
+veto_dir_path="$SHAREPATH/veto_name_dir"
+veto_dir_file_path="$veto_dir_path/file_inside_dir"
+
+#
+# Using the share "[veto_files]" ensure we
+# cannot fetch a veto'd file or file in a veto'd directory.
+#
+test_get_veto_file()
+{
+	tmpfile=$PREFIX/smbclient.in.$$
+	# Create veto file.
+	touch "$veto_file_path"
+	# Create veto directory.
+	mkdir -p "$veto_dir_path"
+	# Create file inside veto directory.
+	touch "$veto_dir_file_path"
+
+	# Try and get the file.
+
+	cat >"$tmpfile" <<EOF
+get veto_name_file veto_name_file
+quit
+EOF
+
+	cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	# Check for smbclient error.
+	if [ $ret != 0 ]; then
+		echo "Failed accessing share veto_files - $ret"
+		echo "$out"
+		return 1
+	fi
+
+	rm -f veto_name_file
+
+	# The get should fail with NT_STATUS_OBJECT_NAME_NOT_FOUND
+	echo "$out" | grep NT_STATUS_OBJECT_NAME_NOT_FOUND
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "Did not see NT_STATUS_OBJECT_NAME_NOT_FOUND getting veto_file_name"
+		echo "$out"
+		return 1
+	fi
+
+	# Try and get the file inside the directory.
+
+	cat >"$tmpfile" <<EOF
+get veto_name_dir/file_inside_dir file_inside_dir
+quit
+EOF
+
+	cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=$(eval "$cmd")
+	ret=$?
+
+	# Check for smbclient error.
+	if [ $ret != 0 ]; then
+		echo "Failed accessing share veto_files - $ret"
+		echo "$out"
+		return 1
+	fi
+
+	rm -f file_inside_dir
+
+	# The get should fail with NT_STATUS_OBJECT_PATH_NOT_FOUND
+	echo "$out" | grep NT_STATUS_OBJECT_PATH_NOT_FOUND
+	ret=$?
+	if [ $ret -ne 0 ]; then
+		echo "Did not see NT_STATUS_OBJECT_PATH_NOT_FOUND getting veto_name_dir/file_inside_dir"
+		echo "$out"
+		return 1
+	fi
+
+	return 0
+}
+
+rm -f veto_name_file
+rm -f file_inside_dir
+rm -f "$veto_file_path"
+rm -rf "$veto_dir_path"
+
+testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1))
+
+rm -f veto_name_file
+rm -f file_inside_dir
+rm -f "$veto_file_path"
+rm -rf "$veto_dir_path"
+
+exit "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 6b8e7f774f2..afb326029dc 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -641,6 +641,10 @@ for env in ["fileserver"]:
                   '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks',
                   '$PREFIX', smbclient3])
 
+    plantestsuite("samba3.blackbox.test_veto_files", env,
+                  [os.path.join(samba3srcdir, "script/tests/test_veto_files.sh"),
+                  '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/veto', smbclient3])
+
     #
     # tar command tests
     #
-- 
2.34.1


From 41d786b344ff59e3292796731b7eaee411c11ed8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 11 Aug 2022 09:55:56 -0700
Subject: [PATCH 2/3] s3: smbd: Add IS_VETO_PATH check to
 filename_convert_dirfsp_nosymlink().

Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/filename.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 2baff7b0adf..cf1e3a193ec 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1171,6 +1171,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
 		goto fail;
 	}
 
+	/* Check veto files. */
+	if (IS_VETO_PATH(conn, smb_dirname->base_name)) {
+		DBG_DEBUG("veto files rejecting directory %s\n",
+			smb_fname_str_dbg(smb_dirname));
+		status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
+		goto fail;
+	}
+
 	/*
 	 * Only look at bad last component values
 	 * once we know we have a valid directory. That
-- 
2.34.1


From 4db19b308f9887d7a5b502016758c69ec0b99cca Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 11 Aug 2022 10:03:58 -0700
Subject: [PATCH 3/3] s3: smbd: Add IS_VETO_PATH check to
 filename_convert_dirfsp_nosymlink().

Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for file component.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/veto_files | 1 -
 source3/smbd/filename.c         | 8 ++++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/veto_files

diff --git a/selftest/knownfail.d/veto_files b/selftest/knownfail.d/veto_files
deleted file mode 100644
index ad7d841a033..00000000000
--- a/selftest/knownfail.d/veto_files
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.blackbox.test_veto_files.get_veto_file\(fileserver\)
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index cf1e3a193ec..c511089d950 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1236,6 +1236,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink(
 		goto fail;
 	}
 
+	/* Check veto files. */
+	if (IS_VETO_PATH(conn, smb_fname_rel->base_name)) {
+		DBG_DEBUG("veto files rejecting file %s\n",
+			smb_fname_str_dbg(smb_fname_rel));
+		status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+		goto fail;
+	}
+
 	status = openat_pathref_fsp_case_insensitive(
 		smb_dirname->fsp, smb_fname_rel, ucf_flags);
 
-- 
2.34.1