[Libguestfs] [PATCH 2/2] launch: Validate $TERM before passing it through to the kernel command line.

Make sure it is reasonable before we pass it through to the kernel command line. I don't believe this is exploitable, but it might cause obscure bugs. --- src/launch.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/launch.c b/src/launch.c index 84d5e82..ee2a23d 100644 --- a/src/launch.c +++ b/src/launch.c @@ -39,6 +39,8 @@ #include <assert.h> #include <libintl.h> +#include "c-ctype.h" + #include "guestfs.h" #include "guestfs-internal.h" #include "guestfs-internal-actions.h" @@ -284,6 +286,28 @@ guestfs_impl_config (guestfs_h *g, return 0; } +/** + * Check that the $TERM environment variable is reasonable before + * we pass it through to the appliance. + */ +static int +valid_term (const char *term) +{ + size_t len = strlen (term); + + if (len == 0 || len > 16) + return 0; + + while (len > 0) { + char c = *term++; + len--; + if (!c_isalnum (c) && c != '-' && c != '_') + return 0; + } + + return 1; +} + #if defined(__powerpc64__) #define SERIAL_CONSOLE "console=hvc0 console=ttyS0" #elif defined(__arm__) || defined(__aarch64__) @@ -425,7 +449,7 @@ guestfs_int_appliance_command_line (guestfs_h *g, const char *appliance_dev, guestfs_int_add_string (g, &argv, "guestfs_network=1"); /* TERM environment variable. */ - if (term) + if (term && valid_term (term)) guestfs_int_add_sprintf (g, &argv, "TERM=%s", term); else guestfs_int_add_string (g, &argv, "TERM=linux"); -- 2.10.2