The Samba-Bugzilla – Attachment 17855 Details for
Bug 15143
New filename parser doesn't check veto files smb.conf parameter.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.18.next, 4.17.next.
bug-15143-4.18 (text/plain), 6.53 KB, created by
Jeremy Allison
on 2023-04-06 23:19:01 UTC
(
hide
)
Description:
git-am fix for 4.18.next, 4.17.next.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2023-04-06 23:19:01 UTC
Size:
6.53 KB
patch
obsolete
>From e4ddb3cb739a94d14e37f6ed1e62ed44da363e41 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 5 Apr 2023 11:32:09 +0200 >Subject: [PATCH 1/2] CI: add a test creating a vetoed file > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712) >--- > ...ba3.blackbox.test_veto_files.get_veto_file | 1 + > source3/script/tests/test_veto_files.sh | 47 +++++++++++++++++++ > 2 files changed, 48 insertions(+) > create mode 100644 selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file > >diff --git a/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file b/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file >new file mode 100644 >index 00000000000..ff8f37f0509 >--- /dev/null >+++ b/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file >@@ -0,0 +1 @@ >+^samba3.blackbox.test_veto_files.create_veto_file\(fileserver\) >diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh >index 9f0526bd54c..5ecfb53b8a4 100755 >--- a/source3/script/tests/test_veto_files.sh >+++ b/source3/script/tests/test_veto_files.sh >@@ -84,6 +84,42 @@ EOF > fi > } > >+smbclient_create_expect_error() >+{ >+ filename="$1.$$" >+ expected_error="$2" >+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands >+ cat >"$tmpfile" <<EOF >+put $tmpfile $filename >+quit >+EOF >+ >+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/veto_files -I$SERVER_IP < $tmpfile 2>&1' >+ eval echo "$cmd" >+ out=$(eval "$cmd") >+ ret=$? >+ rm -f "$tmpfile" >+ rm -f "$SHAREPATH/$filename" >+ >+ if [ $ret != 0 ]; then >+ printf "%s\n" "$out" >+ printf "failed accessing veto_files share with error %s\n" "$ret" >+ return 1 >+ fi >+ >+ if [ "$expected_error" = "NT_STATUS_OK" ]; then >+ printf "%s" "$out" | grep -c "NT_STATUS_" && false >+ else >+ printf "%s" "$out" | grep "$expected_error" >+ fi >+ ret=$? >+ if [ $ret != 0 ]; then >+ printf "%s\n" "$out" >+ printf "failed - should get %s doing \"put %s\"\n" "$expected_error" "$filename" >+ return 1 >+ fi >+} >+ > # > # Using the share "[veto_files]" ensure we > # cannot fetch a veto'd file or file in a veto'd directory. >@@ -133,6 +169,16 @@ test_get_veto_file() > return 0 > } > >+test_create_veto_file() >+{ >+ # Test creating files >+ smbclient_create_expect_error "veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ smbclient_create_expect_error "veto_name_dir/file_inside_dir" "NT_STATUS_OBJECT_PATH_NOT_FOUND" || return 1 >+ smbclient_create_expect_error "dir1/veto_name_file" "NT_STATUS_OBJECT_NAME_NOT_FOUND" || return 1 >+ >+ return 0 >+} >+ > do_cleanup > > # Using hash2, veto_name_file\"mangle == VHXE5P~M >@@ -194,6 +240,7 @@ touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/file_inside_dir" > mkdir "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir" > touch "$SHAREPATH/dir1/dir2/dir3/veto_name_dir\"mangle/testdir/file_inside_dir" > >+testit "create_veto_file" test_create_veto_file || failed=$((failed + 1)) > testit "get_veto_file" test_get_veto_file || failed=$(("$failed" + 1)) > > do_cleanup >-- >2.34.1 > > >From fac907b5d629569b8b0f3660acbb87735930c29a Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 5 Apr 2023 11:03:52 +0200 >Subject: [PATCH 2/2] smbd: Prevent creation of vetoed files > >The problem is when checking for vetoed names on the last path component in >openat_pathref_fsp_case_insensitive() we return >NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller >filename_convert_dirfsp_nosymlink() this is treated as the "file creation case" >causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK. > >In order to correctly distinguish between the cases > >1) file doesn't exist, we may be creating it, return >2) a vetoed a file > >we need 2) to return a more specific error to >filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID >which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or >NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224 > >(cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807) >--- > .../samba3.blackbox.test_veto_files.get_veto_file | 1 - > source3/smbd/filename.c | 10 +++++++--- > 2 files changed, 7 insertions(+), 4 deletions(-) > delete mode 100644 selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file > >diff --git a/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file b/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file >deleted file mode 100644 >index ff8f37f0509..00000000000 >--- a/selftest/knownfail.d/samba3.blackbox.test_veto_files.get_veto_file >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.blackbox.test_veto_files.create_veto_file\(fileserver\) >diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c >index b7160af0cfd..2c3d91a923c 100644 >--- a/source3/smbd/filename.c >+++ b/source3/smbd/filename.c >@@ -752,7 +752,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( > if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { > DBG_DEBUG("veto files rejecting last component %s\n", > smb_fname_str_dbg(smb_fname_rel)); >- return NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ return NT_STATUS_NETWORK_OPEN_RESTRICTION; > } > > status = openat_pathref_fsp(dirfsp, smb_fname_rel); >@@ -818,7 +818,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( > DBG_DEBUG("veto files rejecting last component %s\n", > smb_fname_str_dbg(smb_fname_rel)); > TALLOC_FREE(cache_key.data); >- return NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ return NT_STATUS_NETWORK_OPEN_RESTRICTION; > } > > status = openat_pathref_fsp(dirfsp, smb_fname_rel); >@@ -848,7 +848,7 @@ lookup: > if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { > DBG_DEBUG("veto files rejecting last component %s\n", > smb_fname_str_dbg(smb_fname_rel)); >- return NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ return NT_STATUS_NETWORK_OPEN_RESTRICTION; > } > > status = openat_pathref_fsp(dirfsp, smb_fname_rel); >@@ -1307,6 +1307,10 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( > goto done; > } > >+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_OPEN_RESTRICTION)) { >+ /* A vetoed file, pretend it's not there */ >+ status = NT_STATUS_OBJECT_NAME_NOT_FOUND; >+ } > if (!NT_STATUS_IS_OK(status)) { > goto fail; > } >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17855">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15143
:
17469
|
17470
| 17855