bin/161936: [openbsm][patch] praudit can produce invalid XML output

Ryan Steinmetz zi at FreeBSD.org
Sat Feb 25 00:05:35 UTC 2012


This updated patch addresses all known conditions that result in invalid
XML being produced by praudit(1).

-r
-------------- next part --------------
--- contrib/openbsm/libbsm/bsm_io.c.orig	2012-02-24 18:18:03.000000000 -0500
+++ contrib/openbsm/libbsm/bsm_io.c	2012-02-24 18:45:11.000000000 -0500
@@ -73,6 +73,7 @@
 #include <string.h>
 #include <pwd.h>
 #include <grp.h>
+#include <vis.h>
 
 #include <bsm/audit_internal.h>
 
@@ -214,6 +215,45 @@
 }
 
 /*
+ * Prints the given data bytes as an XML-sanitized string.
+ */
+static void
+print_xml_string(FILE *fp, const char *str, size_t len)
+{
+	u_int32_t i;
+	char visbuf[5];
+
+	if (len == 0)
+		return;
+
+	for (i = 0; i < len; i++) {
+		switch (str[i]) {
+			case '\0':
+				return;
+			case '&':
+				(void) fprintf(fp, "&amp;");
+				break;
+			case '<':
+				(void) fprintf(fp, "&lt;");
+				break;
+			case '>':
+				(void) fprintf(fp, "&gt;");
+				break;
+			case '\"':
+				(void) fprintf(fp, "&quot;");
+				break;
+			case '\'':
+				(void) fprintf(fp, "&apos;");
+				break;
+			default:
+				(void) vis(visbuf, str[i], VIS_CSTYLE, 0);
+				(void) fprintf(fp, visbuf);
+				break;
+		}
+	}
+}
+
+/*
  * Prints the beggining of attribute.
  */
 static void
@@ -1855,7 +1895,7 @@
 	for (i = 0; i < tok->tt.execarg.count; i++) {
 		if (xml) {
 			fprintf(fp, "<arg>");
-			print_string(fp, tok->tt.execarg.text[i],
+			print_xml_string(fp, tok->tt.execarg.text[i],
 			    strlen(tok->tt.execarg.text[i]));
 			fprintf(fp, "</arg>");
 		} else {
@@ -1914,7 +1954,7 @@
 	for (i = 0; i< tok->tt.execenv.count; i++) {
 		if (xml) {
 			fprintf(fp, "<env>");
-			print_string(fp, tok->tt.execenv.text[i],
+			print_xml_string(fp, tok->tt.execenv.text[i],
 			    strlen(tok->tt.execenv.text[i]));
 			fprintf(fp, "</env>");
 		} else {


More information about the freebsd-bugs mailing list