os: restrict display names to digits

We call atoi() on the server's display to get the socket but otherwise use the unmodified display for log file name, xkb paths, etc. This results in Xorg :banana being the equivalent of Xorg :0, except for the log files being in /var/log/Xorg.banana.log. I'm not sure there's a good use-case for this behaviour. Check the display for something that looks reasonable, i.e. digits only, but do allow for :0.0 (i.e. digits, followed by a period, followed by one or two digits). Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com>
2014-01-13 17:00:23 +10:00 · 2014-01-13 17:00:23 +10:00 · 71baa466b1
commit 71baa466b1
parent e819028721
1 changed files with 27 additions and 0 deletions
--- a/os/utils.c
+++ b/os/utils.c
@ -600,6 +600,10 @@ UseMsg(void)
 static int
 VerifyDisplayName(const char *d)
 {
+    int i;
+    int period_found = FALSE;
+    int after_period = 0;
+
    if (d == (char *) 0)
        return 0;               /*  null  */
    if (*d == '\0')
@ -610,6 +614,29 @@ VerifyDisplayName(const char *d)
        return 0;               /*  must not equal "." or ".."  */
    if (strchr(d, '/') != (char *) 0)
        return 0;               /*  very important!!!  */
+
+    /* Since we run atoi() on the display later, only allow
+       for digits, or exception of :0.0 and similar (two decimal points max)
+       */
+    for (i = 0; i < strlen(d); i++) {
+        if (!isdigit(d[i])) {
+            if (d[i] != '.' || period_found)
+                return 0;
+            period_found = TRUE;
+        } else if (period_found)
+            after_period++;
+
+        if (after_period > 2)
+            return 0;
+    }
+
+    /* don't allow for :0. */
+    if (period_found && after_period == 0)
+        return 0;
+
+    if (atol(d) > INT_MAX)
+        return 0;
+
    return 1;
 }