diff options
| author | Jann Horn <jannh@google.com> | 2018-07-13 15:15:36 -0700 |
|---|---|---|
| committer | Nikolaus Rath <Nikolaus@rath.org> | 2018-07-21 12:17:49 +0100 |
| commit | 520f09be3c2d351722c33daf7389d6ac4716be98 (patch) | |
| tree | 2ea12463fa3dc7275a371e4c296256e1c93f8383 | |
| parent | b045ea4bb7a33ae3c6f6fc6e7371708810acd01a (diff) | |
| download | fuse-520f09be3c2d351722c33daf7389d6ac4716be98.tar.gz | |
fusermount: don't feed "escaped commas" into mount options
The old code permits the following behavior:
$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
However, backslashes do not have any special meaning for the kernel here.
As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.
| -rw-r--r-- | util/fusermount.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/util/fusermount.c b/util/fusermount.c index 26a0b75..5175c01 100644 --- a/util/fusermount.c +++ b/util/fusermount.c @@ -29,6 +29,7 @@ #include <sys/socket.h> #include <sys/utsname.h> #include <sched.h> +#include <stdbool.h> #define FUSE_COMMFD_ENV "_FUSE_COMMFD" @@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode, unsigned len; const char *fsname_str = "fsname="; const char *subtype_str = "subtype="; + bool escape_ok = begins_with(s, fsname_str) || + begins_with(s, subtype_str); for (len = 0; s[len]; len++) { - if (s[len] == '\\' && s[len + 1]) + if (escape_ok && s[len] == '\\' && s[len + 1]) len++; else if (s[len] == ',') break; |