Index: trunk/src/conf.c =================================================================== --- trunk/src/conf.c (revision 23591) +++ trunk/src/conf.c (revision 23592) @@ -2110,66 +2110,4 @@ free(tmp); } -int pcb_conf_cmd_is_safe_(const char *path_, const char *value, const char **val_out, int msg) -{ - const char *reason; - conf_native_t *nd; - char *path, *s; - - if (val_out != NULL) - *val_out = NULL; - - if (value == NULL) - goto accept; - - path = pcb_strdup(path_); - for(s = path; *s != '\0'; s++) - if (*s == '.') - *s = '/'; - nd = conf_get_field(path); - free(path); - - if (nd == NULL) { - if (msg) - pcb_message(PCB_MSG_ERROR, "pcb_conf_cmd_is_safe(): invalid node path '%s' (looks like an internal error)\n", path_); - return 0; - } - - if (nd->array_size > 1) { - if (msg) - pcb_message(PCB_MSG_ERROR, "pcb_conf_cmd_is_safe(): invalid node path '%s' (it is an array)\n", path_); - return 0; - } - - switch(conf_lookup_role(nd->prop[0].src)) { - /* these are considered safe, because: */ - case CFR_INTERNAL: /* the attacker would have access to the source code and compilation, could place system() anyway */ - case CFR_SYSTEM: /* system admin - lets trust them */ - case CFR_USER: /* user config is written by the user, attackers have no better chance to overwrite that than overwriting the the shell's rc */ - case CFR_CLI: /* command line arguments: the user specified those; who has access to that potentially has access to the shell anyway */ - goto accept; - - /* these are considered unsafe, because: */ - case CFR_DEFAULTPCB: /* the default pcb path may be manipulated; the user has the chance to specify the command path setting from safe config files */ - reason = "default pcb"; break; - case CFR_ENV: /* env vars may be inherited from who-knows-where */ - reason = "env var"; break; - case CFR_PROJECT: /* malicous file prepared by the attacker */ - reason = "project file"; break; - case CFR_DESIGN: /* malicous file prepared by the attacker */ - reason = "board file"; break; - default: - reason = "unknown source"; - } - - if (msg) - pcb_message(PCB_MSG_ERROR, "pcb_conf_cmd_is_safe(): refusing to use the value of '%s' because it is from unsafe source %s\n", path_, reason); - return 0; - - accept:; - if (val_out != NULL) - *val_out = value; - return 1; -} - #include "conf_regfile.c" Index: trunk/src/conf.h =================================================================== --- trunk/src/conf.h (revision 23591) +++ trunk/src/conf.h (revision 23592) @@ -379,12 +379,6 @@ /* Determine the file name of the project file - project_fn and pcb_fn can be NULL */ const char *conf_get_project_conf_name(const char *project_fn, const char *pcb_fn, const char **out_project_fn); -/* Return 1 if the config node named in path is considered safe enough - to specify a command to execute - e.g. an attacker shouldn't be able to - inject commands in design files sent */ -int pcb_conf_cmd_is_safe_(const char *path, const char *value, const char **val_out, int msg); -#define pcb_conf_cmd_is_safe(path, val_out, msg) pcb_conf_cmd_is_safe_(#path, conf_core.path, val_out, msg) - /* Get the first subtree that matches pol within target; allocate new subtree if needed */ lht_node_t *conf_lht_get_first_pol(conf_role_t target, conf_policy_t pol, int create); Index: trunk/src/plug_io.c =================================================================== --- trunk/src/plug_io.c (revision 23591) +++ trunk/src/plug_io.c (revision 23592) @@ -963,9 +963,7 @@ if (PCB_EMPTY_STRING_P(conf_core.rc.save_command)) return pcb_write_pcb_file(Filename, thePcb, fmt, pcb_false, elem_only); - if (!pcb_conf_cmd_is_safe(rc.save_command, &save_cmd, 1)) - return -1; - + save_cmd = conf_core.rc.save_command; /* setup commandline */ gds_truncate(&command,0); for (p = save_cmd; *p; p++) { Index: trunk/src_plugins/fp_fs/fp_fs.c =================================================================== --- trunk/src_plugins/fp_fs/fp_fs.c (revision 23591) +++ trunk/src_plugins/fp_fs/fp_fs.c (revision 23592) @@ -493,8 +493,6 @@ FILE *fp, *f = NULL; const char *libshell; - pcb_conf_cmd_is_safe(rc.library_shell, &libshell, 1); - fctx->field[F_TMPNAME].p = NULL; fctx->field[F_IS_PARAMETRIC].i = pcb_fp_dupname(name, &basename, ¶ms); if (basename == NULL) Index: trunk/src_plugins/import_netlist/import_netlist.c =================================================================== --- trunk/src_plugins/import_netlist/import_netlist.c (revision 23591) +++ trunk/src_plugins/import_netlist/import_netlist.c (revision 23592) @@ -68,8 +68,6 @@ pcb_message(PCB_MSG_INFO, _("Importing PCB netlist %s\n"), filename); - pcb_conf_cmd_is_safe(rc.rat_command, &ratcmd, 1); - if (PCB_EMPTY_STRING_P(ratcmd)) { fp = pcb_fopen(filename, "r"); if (!fp) { Index: trunk/src_plugins/io_pcb/parse_l.c =================================================================== --- trunk/src_plugins/io_pcb/parse_l.c (revision 23591) +++ trunk/src_plugins/io_pcb/parse_l.c (revision 23592) @@ -2523,9 +2523,6 @@ yysubc = NULL; yy_settings_dest = settings_dest; - if (!pcb_conf_cmd_is_safe(rc.file_command, &fcmd, 1)) - return -1; - if (settings_dest != CFR_invalid) conf_reset(settings_dest, Filename); @@ -2629,9 +2626,6 @@ yysubc = NULL; yyFontReset = pcb_false; - if (!pcb_conf_cmd_is_safe(rc.font_command, &fcmd, 1)) - return -1; - yy_settings_dest = CFR_invalid; r = Parse(NULL, fcmd, NULL, Filename); if (r == 0) { Index: trunk/src_plugins/io_pcb/parse_l.l =================================================================== --- trunk/src_plugins/io_pcb/parse_l.l (revision 23591) +++ trunk/src_plugins/io_pcb/parse_l.l (revision 23592) @@ -380,9 +380,6 @@ yysubc = NULL; yy_settings_dest = settings_dest; - if (!pcb_conf_cmd_is_safe(rc.file_command, &fcmd, 1)) - return -1; - if (settings_dest != CFR_invalid) conf_reset(settings_dest, Filename); @@ -486,9 +483,6 @@ yysubc = NULL; yyFontReset = pcb_false; - if (!pcb_conf_cmd_is_safe(rc.font_command, &fcmd, 1)) - return -1; - yy_settings_dest = CFR_invalid; r = Parse(NULL, fcmd, NULL, Filename); if (r == 0) {