From: D Brashear <shadow@your-file-system.com>
Date: Fri, 18 Jul 2014 20:00:12 +0000 (-0400)
Subject: vlserver: limit use of regex to admins always
X-Git-Tag: upstream/1.6.14^2~3
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=0b4cad31128623b1cf381384b8cf50336a86be9c;p=packages%2Fo%2Fopenafs.git

vlserver: limit use of regex to admins always

allow regexes only if the querying user is a superuser.
if the superuser uses up all the resources, well, they could just do
whatever damage directly anyway. means even in unrestricted mode
we are not vulnerable

Reviewed-on: http://gerrit.openafs.org/11968
Reviewed-by: Daria Brashear <shadow@your-file-system.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit 049323e7e03c64f534a73ff452d218f19d5b8132)

Change-Id: I1e3f11bd14b071be69eb6e00c26ea2209596c82a
Reviewed-on: http://gerrit.openafs.org/11975
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---

diff --git a/src/vlserver/vlprocs.c b/src/vlserver/vlprocs.c
index 4fb5db078..2f56b19d8 100644
--- a/src/vlserver/vlprocs.c
+++ b/src/vlserver/vlprocs.c
@@ -1515,6 +1515,10 @@ SVL_ListAttributesN2(struct rx_call *rxcall,
 	findpartition = ((attributes->Mask & VLLIST_PARTITION) ? 1 : 0);
 	findflag = ((attributes->Mask & VLLIST_FLAG) ? 1 : 0);
 	if (name && (strcmp(name, ".*") != 0) && (strcmp(name, "") != 0)) {
+	    if (!afsconf_SuperUser(vldb_confdir, rxcall, NULL)) {
+		errorcode = VL_PERM;
+		goto done;
+	    }
 	    sprintf(volumename, "^%s$", name);
 #ifdef HAVE_POSIX_REGEX
 	    if (regcomp(&re, volumename, REG_NOSUB) != 0) {