[Libguestfs] [PATCH nbdkit v2 1/2] server: Reserve more characters from plugin/filter short names

The plugin/filter short name detection is very liberal, reserving only '.' and '/'. Thus, at least in theory, short plugin names containing almost arbitrary symbols and characters are permitted. Backslash ought to have been reserved when we added Windows support. We should probably reserve more characters, but in this commit I only reserve: * backslash (ie. directory separator on Windows) * ':' and ';' (common path separators) * '=' (used in nbdkit parameters) * space and comma (commonly used to separate lists) * non-printable ASCII characters Also DIR_SEPARATOR_STR, but that's likely to be already covered by the other tests so probably does nothing here. This commit is mainly about tightening up corner cases with possible security implications, for example if you managed to trick a program to invoke 'nbdkit "plugin param"' that might have an ambiguous parsing that you could use to your advantage. It should have no effect on normal, non-adversarial usage. --- server/options.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/server/options.h b/server/options.h index 7d0730bae7..8b1bd679e9 100644 --- a/server/options.h +++ b/server/options.h @@ -117,7 +117,23 @@ static const struct option long_options[] = { static inline bool is_short_name (const char *filename) { - return strchr (filename, '.') == NULL && strchr (filename, '/') == NULL; + const size_t n = strlen (filename); + size_t i; + + for (i = 0; i < n; ++i) { + switch (filename[i]) { + case '\0'...31: case 127: /* non-printable ASCII */ + case '/': case '\\': /* directory separators */ + case ':': case ';': /* path separators */ + case ' ': + case '.': + case ',': + case '=': + return false; + } + } + + return strstr (filename, DIR_SEPARATOR_STR) == NULL; } #endif /* NBDKIT_OPTIONS_H */ -- 2.44.0