Stricter validation of VM names and normalized targets

It turns out that the Windows agent uses "|" as an internal delimiter, and programs under both Linux and Windows may assume that there are no forbidden characters in $QREXEC_REMOTE_DOMAIN and either $QREXEC_REQUESTED_TARGET_NAME or $QREXEC_REQUESTED_TARGET_KEYWORD. Only allow expected characters.
QubesOS · Jan 8, 2025 · 988d99f · 988d99f
1 parent 856316d
commit 988d99f
Showing 1 changed file with 24 additions and 6 deletions.
diff --git a/daemon/qrexec-daemon.c b/daemon/qrexec-daemon.c
@@ -1142,16 +1142,34 @@ static _Noreturn void do_exec(const char *prog, const char *username __attribute
     _exit(QREXEC_EXIT_PROBLEM);
 }
 
-/* check that the input is non-empty with only printable ASCII characters */
+/* check that the input is non-empty with only safe characters */
 static bool check_single_word(const char *token)
 {
     const char *cursor = token;
-    do {
-        if (*cursor < 0x21 || *cursor > 0x7E)
+    switch (*cursor++) {
+    case 'A' ... 'Z':
+    case 'a' ... 'z':
+        break;
+    default:
+        return false;
+    }
+    for (;;) {
+        switch (*cursor++) {
+        case 'A' ... 'Z':
+        case 'a' ... 'z':
+        case '0' ... '9':
+        case '_':
+        case ':':
+        case '-':
+        case '.':
+        case '@': // not used today but might be in future
+            break;
+        case '\0':
+            return true;
+        default:
             return false;
-        cursor++;
-    } while (*cursor != 0);
-    return true;
+        }
+    }
 }
 
 _Noreturn static void handle_execute_service_child(