The Samba-Bugzilla – Attachment 17470 Details for
Bug 15143
New filename parser doesn't check veto files smb.conf parameter.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for master.
bug-15143 (text/plain), 7.52 KB, created by
Jeremy Allison
on 2022-08-11 17:22:42 UTC
(
hide
)
Description:
git-am fix for master.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2022-08-11 17:22:42 UTC
Size:
7.52 KB
patch
obsolete
>From 3cee7fbe6916098eda125bd69127b8596d997f4f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Aug 2022 09:51:11 -0700 >Subject: [PATCH 1/3] s3: tests: Add samba3.blackbox.test_veto_files. > >Shows we currently don't look at smb.conf veto files parameter >when opening a file. > >Add knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/veto_files | 1 + > selftest/target/Samba3.pm | 4 + > source3/script/tests/test_veto_files.sh | 125 ++++++++++++++++++++++++ > source3/selftest/tests.py | 4 + > 4 files changed, 134 insertions(+) > create mode 100644 selftest/knownfail.d/veto_files > create mode 100755 source3/script/tests/test_veto_files.sh > >diff --git a/selftest/knownfail.d/veto_files b/selftest/knownfail.d/veto_files >new file mode 100644 >index 00000000000..ad7d841a033 >--- /dev/null >+++ b/selftest/knownfail.d/veto_files >@@ -0,0 +1 @@ >+^samba3.blackbox.test_veto_files.get_veto_file\(fileserver\) >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 2313f6fce36..ecff6da2cec 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1914,6 +1914,10 @@ sub setup_fileserver > path = $veto_sharedir > delete veto files = yes > >+[veto_files] >+ path = $veto_sharedir >+ veto files = /veto_name*/ >+ > [delete_yes_unwrite] > read only = no > path = $delete_unwrite_sharedir >diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh >new file mode 100755 >index 00000000000..d2ca3179f79 >--- /dev/null >+++ b/source3/script/tests/test_veto_files.sh >@@ -0,0 +1,125 @@ >+#!/bin/sh >+# >+# Check smbclient cannot get a file that matches a veto files >+# parameter, or inside a directory that matches a veto files >+# parameter. >+# >+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 >+# >+ >+if [ $# -lt 6 ]; then >+ cat <<EOF >+Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SHAREPATH SMBCLIENT >+EOF >+ exit 1 >+fi >+ >+SERVER=${1} >+SERVER_IP=${2} >+USERNAME=${3} >+PASSWORD=${4} >+SHAREPATH=${5} >+SMBCLIENT=${6} >+shift 6 >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+ADDARGS="$@" >+ >+incdir=$(dirname "$0")/../../../testprogs/blackbox >+. "$incdir"/subunit.sh >+ >+failed=0 >+ >+veto_file_path="$SHAREPATH/veto_name_file" >+veto_dir_path="$SHAREPATH/veto_name_dir" >+veto_dir_file_path="$veto_dir_path/file_inside_dir" >+ >+# >+# Using the share "[veto_files]" ensure we >+# cannot fetch a veto'd file or file in a veto'd directory. >+# >+test_get_veto_file() >+{ >+ tmpfile=$PREFIX/smbclient.in.$$ >+ # Create veto file. >+ touch "$veto_file_path" >+ # Create veto directory. >+ mkdir -p "$veto_dir_path" >+ # Create file inside veto directory. >+ touch "$veto_dir_file_path" >+ >+ # Try and get the file. >+ >+ cat >"$tmpfile" <<EOF >+get veto_name_file veto_name_file >+quit >+EOF >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ >+ # Check for smbclient error. >+ if [ $ret != 0 ]; then >+ echo "Failed accessing share veto_files - $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ rm -f veto_name_file >+ >+ # The get should fail with NT_STATUS_OBJECT_NAME_NOT_FOUND >+ echo "$out" | grep NT_STATUS_OBJECT_NAME_NOT_FOUND >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Did not see NT_STATUS_OBJECT_NAME_NOT_FOUND getting veto_file_name" >+ echo "$out" >+ return 1 >+ fi >+ >+ # Try and get the file inside the directory. >+ >+ cat >"$tmpfile" <<EOF >+get veto_name_dir/file_inside_dir file_inside_dir >+quit >+EOF >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ >+ # Check for smbclient error. >+ if [ $ret != 0 ]; then >+ echo "Failed accessing share veto_files - $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ rm -f file_inside_dir >+ >+ # The get should fail with NT_STATUS_OBJECT_PATH_NOT_FOUND >+ echo "$out" | grep NT_STATUS_OBJECT_PATH_NOT_FOUND >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Did not see NT_STATUS_OBJECT_PATH_NOT_FOUND getting veto_name_dir/file_inside_dir" >+ echo "$out" >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+rm -f veto_name_file >+rm -f file_inside_dir >+rm -f "$veto_file_path" >+rm -rf "$veto_dir_path" >+ >+testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1)) >+ >+rm -f veto_name_file >+rm -f file_inside_dir >+rm -f "$veto_file_path" >+rm -rf "$veto_dir_path" >+ >+exit "$failed" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 6b8e7f774f2..afb326029dc 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -641,6 +641,10 @@ for env in ["fileserver"]: > '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/local_symlinks', > '$PREFIX', smbclient3]) > >+ plantestsuite("samba3.blackbox.test_veto_files", env, >+ [os.path.join(samba3srcdir, "script/tests/test_veto_files.sh"), >+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/veto', smbclient3]) >+ > # > # tar command tests > # >-- >2.34.1 > > >From 41d786b344ff59e3292796731b7eaee411c11ed8 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Aug 2022 09:55:56 -0700 >Subject: [PATCH 2/3] s3: smbd: Add IS_VETO_PATH check to > filename_convert_dirfsp_nosymlink(). > >Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/smbd/filename.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index 2baff7b0adf..cf1e3a193ec 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -1171,6 +1171,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( > goto fail; > } > >+ /* Check veto files. */ >+ if (IS_VETO_PATH(conn, smb_dirname->base_name)) { >+ DBG_DEBUG("veto files rejecting directory %s\n", >+ smb_fname_str_dbg(smb_dirname)); >+ status = NT_STATUS_OBJECT_PATH_NOT_FOUND; >+ goto fail; >+ } >+ > /* > * Only look at bad last component values > * once we know we have a valid directory. That >-- >2.34.1 > > >From 4db19b308f9887d7a5b502016758c69ec0b99cca Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Aug 2022 10:03:58 -0700 >Subject: [PATCH 3/3] s3: smbd: Add IS_VETO_PATH check to > filename_convert_dirfsp_nosymlink(). > >Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for file component. > >Remove knownfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/veto_files | 1 - > source3/smbd/filename.c | 8 ++++++++ > 2 files changed, 8 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/veto_files > >diff --git a/selftest/knownfail.d/veto_files b/selftest/knownfail.d/veto_files >deleted file mode 100644 >index ad7d841a033..00000000000 >--- a/selftest/knownfail.d/veto_files >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.blackbox.test_veto_files.get_veto_file\(fileserver\) >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index cf1e3a193ec..c511089d950 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -1236,6 +1236,14 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( > goto fail; > } > >+ /* Check veto files. */ >+ if (IS_VETO_PATH(conn, smb_fname_rel->base_name)) { >+ DBG_DEBUG("veto files rejecting file %s\n", >+ smb_fname_str_dbg(smb_fname_rel)); >+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ goto fail; >+ } >+ > status = openat_pathref_fsp_case_insensitive( > smb_dirname->fsp, smb_fname_rel, ucf_flags); > >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17470">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
ci-passed+
Actions:
View
Attachments on
bug 15143
:
17469
|
17470