restricting modules

[Zefram <zefram@xxxxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----

This patch changes the effect of the RESTRICTED option on zmodload.

Prior to this patch, any arbitrary, untrusted, module can be declared
to be a dependency of a safe module, and thus untrusted code can be run.
This patch closes that security hole by preventing the specification of
a module containing a /.  Note that it is not a problem to declare safe
dependencies of unsafe modules: that doesn't make it any easier to load
the unsafe module.

The restriction on zmodload -a is also changed to match.  The idea is
that only the loading of unsafe modules should be prevented, and that
functionality should not be otherwise reduced.

 -zefram

 *** Doc/Zsh/restricted.yo	1997/01/29 05:42:43	1.2
 --- Doc/Zsh/restricted.yo	1997/03/23 02:23:37
 ***************
 *** 26,34 ****
   commands)
   itemiz(turning off restricted mode with tt(set +r) or tt(unsetopt
   RESTRICTED))
 ! itemiz(loading modules with an explicitely given pathname containing
 ! slashes)
 ! itemiz(adding/deleting builtins with tt(zmodload -a))
   enditemize()
   
   These restrictions are enforced after processing the startup files.  The
 --- 26,33 ----
   commands)
   itemiz(turning off restricted mode with tt(set +r) or tt(unsetopt
   RESTRICTED))
 ! itemiz(specifying modules to be loaded with an explicitly given
 ! pathname containing slashes)
   enditemize()
   
   These restrictions are enforced after processing the startup files.  The
 *** Src/module.c	1997/03/20 03:53:56	1.25
 --- Src/module.c	1997/03/23 02:32:35
 ***************
 *** 499,509 ****
   	return 0;
       } else {
   	/* add dependencies */
   	char *tnam = *args++;
   
 ! 	while (*args)
 ! 	    add_dep(tnam, *args++);
 ! 	return 0;
       }
   }
   
 --- 499,515 ----
   	return 0;
       } else {
   	/* add dependencies */
 + 	int ret = 0;
   	char *tnam = *args++;
   
 ! 	for(; *args; args++) {
 ! 	    if(isset(RESTRICTED) && strchr(*args, '/')) {
 ! 		zwarnnam(nam, "%s: restricted", *args, 0);
 ! 		ret = 1;
 ! 	    } else
 ! 		add_dep(tnam, *args);
 ! 	}
 ! 	return ret;
       }
   }
   
 ***************
 *** 514,523 ****
   
       if(ops['u']) {
   	/* remove autoloaded builtins */
 - 	if (isset(RESTRICTED)) {
 - 	    zwarnnam(nam, "-a is not allowed in restricted mode", *args, 0);
 - 	    return 1;
 - 	}
   	for (; *args; args++) {
   	    Builtin bn = (Builtin) builtintab->getnode2(builtintab, *args);
   
 --- 520,525 ----
 ***************
 *** 541,551 ****
       } else {
   	/* add autoloaded builtins */
   	char *modnam;
 ! 	if (isset(RESTRICTED)) {
 ! 	    zwarnnam(nam, "-a is not allowed in restricted mode", *args, 0);
   	    return 1;
   	}
 - 	modnam = *args++;
   	do {
   	    char *bnam = *args ? *args++ : modnam;
   	    if (strchr(bnam, '/')) {
 --- 543,553 ----
       } else {
   	/* add autoloaded builtins */
   	char *modnam;
 ! 	modnam = *args++;
 ! 	if(isset(RESTRICTED) && strchr(modnam, '/')) {
 ! 	    zwarnnam(nam, "%s: restricted", modnam, 0);
   	    return 1;
   	}
   	do {
   	    char *bnam = *args ? *args++ : modnam;
   	    if (strchr(bnam, '/')) {

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: ascii

iQCVAwUBMzSXn3D/+HJTpU/hAQHuNgP+LnJMnwv8Xvn/w651C+XB28LVxU71WTtp
fSmMhxKdEFx6N2eXEOcDVSmzdF8QXdELEz1VrZLWgjdb9tztTJ5u2FoSVrRtFHfH
7Q8WvTFGw09dsy9M28fNs2UiROHf1cbyzVieK0eSw1ue39HsCSCcbXY2z4xTfz7u
ywk86Y2k9DE=
=pkzu
-----END PGP SIGNATURE-----