/*
* security.c: Implementation of the XSLT security framework
*
* See Copyright for the status of this software.
*
* daniel@veillard.com
*/
#define IN_LIBXSLT
#include "libxslt.h"
#include <string.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_MATH_H
#include <math.h>
#endif
#ifdef HAVE_FLOAT_H
#include <float.h>
#endif
#ifdef HAVE_IEEEFP_H
#include <ieeefp.h>
#endif
#ifdef HAVE_NAN_H
#include <nan.h>
#endif
#ifdef HAVE_CTYPE_H
#include <ctype.h>
#endif
#if defined(WIN32) && !defined(__CYGWIN__)
#include <windows.h>
#ifndef INVALID_FILE_ATTRIBUTES
#define INVALID_FILE_ATTRIBUTES ((DWORD)-1)
#endif
#endif
#ifndef HAVE_STAT
# ifdef HAVE__STAT
/* MS C library seems to define stat and _stat. The definition
* is identical. Still, mapping them to each other causes a warning. */
# ifndef _MSC_VER
# define stat(x,y) _stat(x,y)
# endif
# define HAVE_STAT
# endif
#endif
#include <libxml/xmlmemory.h>
#include <libxml/tree.h>
#include <libxml/uri.h>
#include "xslt.h"
#include "xsltInternals.h"
#include "xsltutils.h"
#include "extensions.h"
#include "security.h"
struct _xsltSecurityPrefs {
xsltSecurityCheck readFile;
xsltSecurityCheck createFile;
xsltSecurityCheck createDir;
xsltSecurityCheck readNet;
xsltSecurityCheck writeNet;
};
static xsltSecurityPrefsPtr xsltDefaultSecurityPrefs = NULL;
/************************************************************************
* *
* Module interfaces *
* *
************************************************************************/
/**
* xsltNewSecurityPrefs:
*
* Create a new security preference block
*
* Returns a pointer to the new block or NULL in case of error
*/
xsltSecurityPrefsPtr
xsltNewSecurityPrefs(void) {
xsltSecurityPrefsPtr ret;
xsltInitGlobals();
ret = (xsltSecurityPrefsPtr) xmlMalloc(sizeof(xsltSecurityPrefs));
if (ret == NULL) {
xsltTransformError(NULL, NULL, NULL,
"xsltNewSecurityPrefs : malloc failed\n");
return(NULL);
}
memset(ret, 0, sizeof(xsltSecurityPrefs));
return(ret);
}
/**
* xsltFreeSecurityPrefs:
* @sec: the security block to free
*
* Free up a security preference block
*/
void
xsltFreeSecurityPrefs(xsltSecurityPrefsPtr sec) {
if (sec == NULL)
return;
xmlFree(sec);
}
/**
* xsltSetSecurityPrefs:
* @sec: the security block to update
* @option: the option to update
* @func: the user callback to use for this option
*
* Update the security option to use the new callback checking function
*
* Returns -1 in case of error, 0 otherwise
*/
int
xsltSetSecurityPrefs(xsltSecurityPrefsPtr sec, xsltSecurityOption option,
xsltSecurityCheck func) {
xsltInitGlobals();
if (sec == NULL)
return(-1);
switch (option) {
case XSLT_SECPREF_READ_FILE:
sec->readFile = func; return(0);
case XSLT_SECPREF_WRITE_FILE:
sec->createFile = func; return(0);
case XSLT_SECPREF_CREATE_DIRECTORY:
sec->createDir = func; return(0);
case XSLT_SECPREF_READ_NETWORK:
sec->readNet = func; return(0);
case XSLT_SECPREF_WRITE_NETWORK:
sec->writeNet = func; return(0);
}
return(-1);
}
/**
* xsltGetSecurityPrefs:
* @sec: the security block to update
* @option: the option to lookup
*
* Lookup the security option to get the callback checking function
*
* Returns NULL if not found, the function otherwise
*/
xsltSecurityCheck
xsltGetSecurityPrefs(xsltSecurityPrefsPtr sec, xsltSecurityOption option) {
if (sec == NULL)
return(NULL);
switch (option) {
case XSLT_SECPREF_READ_FILE:
return(sec->readFile);
case XSLT_SECPREF_WRITE_FILE:
return(sec->createFile);
case XSLT_SECPREF_CREATE_DIRECTORY:
return(sec->createDir);
case XSLT_SECPREF_READ_NETWORK:
return(sec->readNet);
case XSLT_SECPREF_WRITE_NETWORK:
return(sec->writeNet);
}
return(NULL);
}
/**
* xsltSetDefaultSecurityPrefs:
* @sec: the security block to use
*
* Set the default security preference application-wide
*/
void
xsltSetDefaultSecurityPrefs(xsltSecurityPrefsPtr sec) {
xsltDefaultSecurityPrefs = sec;
}
/**
* xsltGetDefaultSecurityPrefs:
*
* Get the default security preference application-wide
*
* Returns the current xsltSecurityPrefsPtr in use or NULL if none
*/
xsltSecurityPrefsPtr
xsltGetDefaultSecurityPrefs(void) {
return(xsltDefaultSecurityPrefs);
}
/**
* xsltSetCtxtSecurityPrefs:
* @sec: the security block to use
* @ctxt: an XSLT transformation context
*
* Set the security preference for a specific transformation
*
* Returns -1 in case of error, 0 otherwise
*/
int
xsltSetCtxtSecurityPrefs(xsltSecurityPrefsPtr sec,
xsltTransformContextPtr ctxt) {
if (ctxt == NULL)
return(-1);
ctxt->sec = (void *) sec;
return(0);
}
/**
* xsltSecurityAllow:
* @sec: the security block to use
* @ctxt: an XSLT transformation context
* @value: unused
*
* Function used to always allow an operation
*
* Returns 1 always
*/
int
xsltSecurityAllow(xsltSecurityPrefsPtr sec ATTRIBUTE_UNUSED,
xsltTransformContextPtr ctxt ATTRIBUTE_UNUSED,
const char *value ATTRIBUTE_UNUSED) {
return(1);
}
/**
* xsltSecurityForbid:
* @sec: the security block to use
* @ctxt: an XSLT transformation context
* @value: unused
*
* Function used to always forbid an operation
*
* Returns 0 always
*/
int
xsltSecurityForbid(xsltSecurityPrefsPtr sec ATTRIBUTE_UNUSED,
xsltTransformContextPtr ctxt ATTRIBUTE_UNUSED,
const char *value ATTRIBUTE_UNUSED) {
return(0);
}
/************************************************************************
* *
* Internal interfaces *
* *
************************************************************************/
/**
* xsltCheckFilename
* @path: the path to check
*
* function checks to see if @path is a valid source
* (file, socket...) for XML.
*
* TODO: remove at some point !!!
* Local copy of xmlCheckFilename to avoid a hard dependency on
* a new version of libxml2
*
* if stat is not available on the target machine,
* returns 1. if stat fails, returns 0 (if calling
* stat on the filename fails, it can't be right).
* if stat succeeds and the file is a directory,
* returns 2. otherwise returns 1.
*/
static int
xsltCheckFilename (const char *path)
{
#ifdef HAVE_STAT
struct stat stat_buffer;
#if defined(WIN32) && !defined(__CYGWIN__)
DWORD dwAttrs;
dwAttrs = GetFileAttributes(path);
if (dwAttrs != INVALID_FILE_ATTRIBUTES) {
if (dwAttrs & FILE_ATTRIBUTE_DIRECTORY) {
return 2;
}
}
#endif
if (stat(path, &stat_buffer) == -1)
return 0;
#ifdef S_ISDIR
if (S_ISDIR(stat_buffer.st_mode)) {
return 2;
}
#endif
#endif
return 1;
}
static int
xsltCheckWritePath(xsltSecurityPrefsPtr sec,
xsltTransformContextPtr ctxt,
const char *path)
{
int ret;
xsltSecurityCheck check;
char *directory;
check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_WRITE_FILE);
if (check != NULL) {
ret = check(sec, ctxt, path);
if (ret == 0) {
xsltTransformError(ctxt, NULL, NULL,
"File write for %s refused\n", path);
return(0);
}
}
directory = xmlParserGetDirectory (path);
if (directory != NULL) {
ret = xsltCheckFilename(directory);
if (ret == 0) {
/*
* The directory doesn't exist check for creation
*/
check = xsltGetSecurityPrefs(sec,
XSLT_SECPREF_CREATE_DIRECTORY);
if (check != NULL) {
ret = check(sec, ctxt, directory);
if (ret == 0) {
xsltTransformError(ctxt, NULL, NULL,
"Directory creation for %s refused\n",
path);
xmlFree(directory);
return(0);
}
}
ret = xsltCheckWritePath(sec, ctxt, directory);
if (ret == 1)
ret = mkdir(directory, 0755);
}
xmlFree(directory);
if (ret < 0)
return(ret);
}
return(1);
}
/**
* xsltCheckWrite:
* @sec: the security options
* @ctxt: an XSLT transformation context
* @URL: the resource to be written
*
* Check if the resource is allowed to be written, if necessary makes
* some preliminary work like creating directories
*
* Return 1 if write is allowed, 0 if not and -1 in case or error.
*/
int
xsltCheckWrite(xsltSecurityPrefsPtr sec,
xsltTransformContextPtr ctxt, const xmlChar *URL) {
int ret;
xmlURIPtr uri;
xsltSecurityCheck check;
uri = xmlParseURI((const char *)URL);
if (uri == NULL) {
uri = xmlCreateURI();
if (uri == NULL) {
xsltTransformError(ctxt, NULL, NULL,
"xsltCheckWrite: out of memory for %s\n", URL);
return(-1);
}
uri->path = (char *)xmlStrdup(URL);
}
if ((uri->scheme == NULL) ||
(xmlStrEqual(BAD_CAST uri->scheme, BAD_CAST "file"))) {
#if defined(WIN32) && !defined(__CYGWIN__)
if ((uri->path)&&(uri->path[0]=='/')&&
(uri->path[1]!='\0')&&(uri->path[2]==':'))
ret = xsltCheckWritePath(sec, ctxt, uri->path+1);
else
#endif
/*
* Check if we are allowed to write this file
*/
ret = xsltCheckWritePath(sec, ctxt, uri->path);
if (ret <= 0) {
xmlFreeURI(uri);
return(ret);
}
} else {
/*
* Check if we are allowed to write this network resource
*/
check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_WRITE_NETWORK);
if (check != NULL) {
ret = check(sec, ctxt, (const char *)URL);
if (ret == 0) {
xsltTransformError(ctxt, NULL, NULL,
"File write for %s refused\n", URL);
xmlFreeURI(uri);
return(0);
}
}
}
xmlFreeURI(uri);
return(1);
}
/**
* xsltCheckRead:
* @sec: the security options
* @ctxt: an XSLT transformation context
* @URL: the resource to be read
*
* Check if the resource is allowed to be read
*
* Return 1 if read is allowed, 0 if not and -1 in case or error.
*/
int
xsltCheckRead(xsltSecurityPrefsPtr sec,
xsltTransformContextPtr ctxt, const xmlChar *URL) {
int ret;
xmlURIPtr uri;
xsltSecurityCheck check;
uri = xmlParseURI((const char *)URL);
if (uri == NULL) {
xsltTransformError(ctxt, NULL, NULL,
"xsltCheckRead: URL parsing failed for %s\n",
URL);
return(-1);
}
if ((uri->scheme == NULL) ||
(xmlStrEqual(BAD_CAST uri->scheme, BAD_CAST "file"))) {
/*
* Check if we are allowed to read this file
*/
check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_READ_FILE);
if (check != NULL) {
ret = check(sec, ctxt, uri->path);
if (ret == 0) {
xsltTransformError(ctxt, NULL, NULL,
"Local file read for %s refused\n", URL);
xmlFreeURI(uri);
return(0);
}
}
} else {
/*
* Check if we are allowed to write this network resource
*/
check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_READ_NETWORK);
if (check != NULL) {
ret = check(sec, ctxt, (const char *)URL);
if (ret == 0) {
xsltTransformError(ctxt, NULL, NULL,
"Network file read for %s refused\n", URL);
xmlFreeURI(uri);
return(0);
}
}
}
xmlFreeURI(uri);
return(1);
}