|
|
//
// SafeFile.cpp
//
// Functions to help prevent opening unsafe files.
//
// History:
//
// 2002-03-18 KenSh Created
//
// Copyright (c) 2002 Microsoft Corporation
//
#include "stdafx.h"
#include "SafeFile.h"
#include <strsafe.h>
//
// Hopefully most projects already define these; if not, ensure we still compile
//
#ifndef ASSERT
#define ASSERT(x)
#endif
#ifndef ARRAYSIZE
#define ARRAYSIZE(ar) (sizeof(ar)/sizeof((ar)[0]))
#endif
//
// Eliminate an unnecessary function call on Unicode builds
//
#ifndef CHARNEXT
#ifdef UNICODE
#define CHARNEXT(psz) (psz+1)
#else
#define CHARNEXT CharNextA
#endif
#endif
//
// Local function declarations
//
static inline BOOL IsSlashOrBackslash(IN TCHAR ch);static inline BOOL IsSlashOrBackslash(IN TCHAR ch);static BOOL SkipLangNeutralPrefix(IN LPCTSTR pszString, IN LPCTSTR pszPrefix, OUT LPCTSTR* ppszResult);static BOOL MyPathFindNextComponent(IN LPCTSTR pszFileName, IN BOOL fAllowForwardSlash, OUT LPCTSTR* ppszResult);static BOOL SkipPathDrivePart(IN LPCTSTR pszFileName, OUT OPTIONAL int* pcchDrivePart, OUT OPTIONAL BOOL* pfUNC, OUT OPTIONAL BOOL* pfExtendedSyntax);static HRESULT CheckValidDriveType(IN LPCTSTR pszFileName, IN BOOL fAllowNetworkDrive, IN BOOL fAllowRemovableDrive);static BOOL WINAPI DoesPathContainDotDot(IN LPCTSTR pszFileName);static BOOL DoesPathContainStreamSyntax(IN LPCTSTR pszFileName);static HRESULT CheckReparsePointPermissions(IN DWORD dwReparseType);
//============================================================================
static inline HRESULT GetLastErrorAsHresult(){ DWORD dwErr = GetLastError(); return HRESULT_FROM_WIN32(dwErr);}
// IsSlashOrBackslash [private]
//
// Helper function to simplify code that checks for path separators.
// Most places where backslash is valid, forward slash is also valid.
//
static inline BOOL IsSlashOrBackslash(IN TCHAR ch){ return (ch == _T('\\') || ch == _T('/'));}
// StrLenWithMax [private]
//
// Returns the equivalent of min(lstrlen(pszString), cchMax)
// but avoids most of the lstrlen when cchMax is small.
//
static int StrLenWithMax(IN LPCTSTR pszString, IN int cchMax){ int cch = 0; while (*pszString && cch < cchMax) cch++; return cch;}
// SkipLangNeutralPrefix [private]
//
// Sets the out param to the new string pointer after skipping the prefix,
// if the string starts with the prefix (case-insensitive). Otherwise sets
// the out param to the start of the input string.
//
// Returns TRUE if the prefix was found & skipped, otherwise FALSE.
//
static BOOL SkipLangNeutralPrefix(IN LPCTSTR pszString, IN LPCTSTR pszPrefix, OUT LPCTSTR* ppszResult){ int cchPrefix = lstrlen(pszPrefix); int cchString = StrLenWithMax(pszString, cchPrefix); BOOL fResult = FALSE;
if (CSTR_EQUAL == CompareString(MAKELCID(LANG_ENGLISH, SORT_DEFAULT), NORM_IGNORECASE, pszString, cchString, pszPrefix, cchPrefix)) { fResult = TRUE; pszString += cchPrefix; }
*ppszResult = pszString; return fResult;}
// MyPathFindNextComponent [private]
//
// Skips past the next component of the given path, including the slash or
// backslash that follows it.
//
// Sets the out param to the beginning of the next path component, or to
// the end of string if there is no next path component.
//
// Returns TRUE if a slash or backslash was found and skipped. Note that
// the out param can be "" even if function returns TRUE.
//
static BOOL MyPathFindNextComponent ( IN LPCTSTR pszFileName, IN BOOL fAllowForwardSlash, OUT LPCTSTR* ppszResult ){ // This is a string-parsing helper function; params should never be NULL
ASSERT(pszFileName != NULL); ASSERT(ppszResult != NULL);
LPCTSTR pszStart = pszFileName; TCHAR chSlash2 = (fAllowForwardSlash ? _T('/') : _T('\\')); BOOL fResult = FALSE;
for (;;) { TCHAR ch = *pszFileName; if (ch == _T('\0')) break; // didn't find a path separator; we'll return FALSE
// Advance to next char, even if current char is path separator (\ or /)
pszFileName = CHARNEXT(pszFileName);
if (ch == _T('\\') || ch == chSlash2) { fResult = TRUE; break; } }
*ppszResult = pszFileName; return fResult;}
// SkipPathDrivePart [private]
//
// Parses the filename to determine the length of the base drive portion of
// the filename, and to determine what syntax the name is in.
//
// This function does not actually examine the drive or file to ensure existence,
// or to recognize that a drive letter like X:\ might be a network drive.
//
// Returns:
// TRUE - if the input is a full path
// FALSE - if input param is not a full path, or is bogus. The pcchDrivePart
// out param is set to 0 in this case.
//
static BOOL SkipPathDrivePart ( IN LPCTSTR pszFileName, // input path name (full or relative path)
OUT OPTIONAL int* pcchDrivePart, // # of TCHARs used by drive part
OUT OPTIONAL BOOL* pfUNC, // TRUE if path is UNC (not incl mapped drive)
OUT OPTIONAL BOOL* pfExtendedSyntax // TRUE if path is \\?\ syntax
){ BOOL fFullPath = FALSE; LPCTSTR pszOriginalFileName = pszFileName; int fUNC = FALSE; int fExtendedSyntax = FALSE;
if (!pszFileName) goto done;
// BLOCK
{ //
// Skip \\?\ if present. (This part must use backslashes, not forward slashes)
//
#ifdef UNICODE
if (SkipLangNeutralPrefix(pszFileName, _T("\\\\?\\"), &pszFileName)) { fExtendedSyntax = TRUE;
if (SkipLangNeutralPrefix(pszFileName, _T("UNC\\"), &pszFileName)) { fUNC = TRUE; // Found "\\?\UNC\..."
} else if (SkipLangNeutralPrefix(pszFileName, _T("Volume{"), &pszFileName)) { // Found "\\?\Volume{1f3b3813-ddbf-11d5-ab2e-806d6172696f}\".
// Skip the rest of the volume name.
fFullPath = MyPathFindNextComponent(pszFileName, FALSE, &pszFileName); goto done; } // else continue normal parsing starting at updated pszFileName pointer
}#endif // UNICODE
//
// Check for path of the form C:\
//
TCHAR chFirstUpper = (TCHAR)CharUpper((LPTSTR)(pszFileName[0])); if (chFirstUpper >= _T('A') && chFirstUpper <= _T('Z') && pszFileName[1] == _T(':') && pszFileName[2] == _T('\\')) { pszFileName += 3; fFullPath = TRUE; goto done; }
//
// Check for UNC of the form \\server\share\
//
if (!fExtendedSyntax && pszFileName[0] == _T('\\') && pszFileName[1] == _T('\\')) { fUNC = TRUE; pszFileName += 2; // skip the "\\"
} if (fUNC) // may be \\server\share\ or \\?\UNC\server\share\
{ // Skip past server and share names. Trailing backslash is NOT optional.
if (!MyPathFindNextComponent(pszFileName, TRUE, &pszFileName) || !MyPathFindNextComponent(pszFileName, TRUE, &pszFileName)) { goto done; // incomplete UNC path -> return failure
}
fFullPath = TRUE; } }
done: if (pcchDrivePart) *pcchDrivePart = fFullPath ? (int)(pszFileName - pszOriginalFileName) : 0; if (pfUNC) *pfUNC = fUNC; if (pfExtendedSyntax) *pfExtendedSyntax = fExtendedSyntax;
return fFullPath;}
// GetReparsePointType [public]
//
// Given the full path of a file or directory, determines what type of
// reparse point the path represents.
//
// Returns S_OK if the type of reparse point could be determined, or
// an appropriate error code if not.
//
// The out param is set to the reparse point type, or 0 if none.
// The value for both volume mount points and junction points is
// IO_REPARSE_TAG_MOUNT_POINT. (Use GetVolumeNameForVolumeMountPoint
// to distinguish, if necessary.)
//
HRESULT WINAPI GetReparsePointType ( IN LPCTSTR pszFileName, // full path to folder to check
OUT DWORD* pdwReparsePointType // set to reparse point type, or 0 if none
){ HRESULT hr = S_OK; DWORD dwReparseType = 0;
ASSERT(pdwReparsePointType);
// BLOCK
{ if (!pszFileName) { hr = E_INVALIDARG; goto done; }
DWORD dwAttrib = GetFileAttributes(pszFileName); if (dwAttrib == INVALID_FILE_ATTRIBUTES) goto win32_error;
if (dwAttrib & FILE_ATTRIBUTE_REPARSE_POINT) { WIN32_FIND_DATA Find; HANDLE hFind = FindFirstFile(pszFileName, &Find); if (hFind == INVALID_HANDLE_VALUE) goto win32_error;
dwReparseType = Find.dwReserved0; FindClose(hFind); } goto done; }
win32_error: hr = GetLastErrorAsHresult();
done: *pdwReparsePointType = dwReparseType; ASSERT(hr != E_INVALIDARG); return hr;}
// CheckReparsePointPermissions [private]
//
// Determines whether or not it's ok to trust the given reparse type.
// Returns S_OK if it's safe, or an appropriate error message if not.
//
static HRESULT CheckReparsePointPermissions(IN DWORD dwReparseType){ HRESULT hr = S_OK;
// REVIEW: Any reason to worry about these other types of reparse points?
// IO_REPARSE_TAG_HSM, IO_REPARSE_TAG_SIS, IO_REPARSE_TAG_DFS, etc.
if (dwReparseType == IO_REPARSE_TAG_MOUNT_POINT) { hr = HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED); }
return hr;}
// CheckValidDriveType [private]
//
// Gets the volume name associated with the given file, and checks the
// return value from GetDriveType() to see whether or not operations
// are allowed on the file.
//
static HRESULT CheckValidDriveType ( IN LPCTSTR pszFileName, // full path of a file whose drive we want to check
IN BOOL fAllowNetworkDrive, // determines whether or not net drives are allowed
IN BOOL fAllowRemovableDrive // determines whether or not removable drives are allowed
){ HRESULT hr = E_INVALIDARG; LPTSTR pszVolumePath = NULL;
// BLOCK
{ if (!pszFileName) { goto done; // hr is already E_INVALIDARG
}
int cchFileName = lstrlen(pszFileName); pszVolumePath = (LPTSTR)SafeFileMalloc(sizeof(TCHAR) * (cchFileName+1)); if (!pszVolumePath) { hr = E_OUTOFMEMORY; goto done; }
#ifdef UNICODE
if (!GetVolumePathName(pszFileName, pszVolumePath, cchFileName+1)) { hr = GetLastErrorAsHresult(); goto done; }#else
int cchDrivePart; if (!SkipPathDrivePart(pszFileName, &cchDrivePart, NULL, NULL)) { hr = HRESULT_FROM_WIN32(ERROR_PATH_NOT_FOUND); goto done; } StringCchCopy(pszVolumePath, cchDrivePart+1, pszFileName);#endif
UINT uDriveType = GetDriveType(pszVolumePath); switch (uDriveType) { case DRIVE_FIXED: hr = S_OK; break;
case DRIVE_REMOVABLE: case DRIVE_CDROM: case DRIVE_UNKNOWN: case DRIVE_RAMDISK: hr = fAllowRemovableDrive ? S_OK : E_ACCESSDENIED; break;
case DRIVE_REMOTE: hr = fAllowNetworkDrive ? S_OK : E_ACCESSDENIED; break;
default: hr = E_INVALIDARG; break; } }
done: SafeFileFree(pszVolumePath);
ASSERT(hr != E_INVALIDARG); return hr;}
// IsFullPathName [public]
//
// Determines whether the given filename is a full path including a drive
// or UNC. Filenames such as \\?\ are supported, and can be considered
// valid or not depending on the dwSafeFlags parameter.
//
// Returns:
// TRUE - if the filename is a full path
// FALSE - if filename is NULL, isn't a full path, or fails to meet
// the criteria given in the dwSafeFlags parameter.
//
BOOL WINAPI IsFullPathName ( IN LPCTSTR pszFileName, // full or relative path to a file
OUT OPTIONAL BOOL* pfUNC, // TRUE path is UNC (int incl mapped drive)
OUT OPTIONAL BOOL* pfExtendedSyntax // TRUE if path is \\?\ syntax
){ return SkipPathDrivePart(pszFileName, NULL, pfUNC, pfExtendedSyntax);}
// DoesPathContainDotDot [private]
//
// Returns TRUE if the path contains any ".." references, else FALSE.
//
static BOOL WINAPI DoesPathContainDotDot(IN LPCTSTR pszFileName){ if (!pszFileName) return FALSE;
while (*pszFileName) { // Flag path components that consist exactly of ".." (nothing following)
if (pszFileName[0] == _T('.') && pszFileName[1] == _T('.') && (pszFileName[2] == _T('/') || pszFileName[2] == _T('\\') || pszFileName[2] == _T('\0'))) { return TRUE; }
MyPathFindNextComponent(pszFileName, TRUE, &pszFileName); }
return FALSE;}
// DoesPathContainStreamSyntax [private]
//
// Returns TRUE if the path contains any characters that could cause it
// to refer to an alternate NTFS stream (namely any ":" characters beyond
// the drive specification).
//
static BOOL DoesPathContainStreamSyntax(IN LPCTSTR pszFileName){ if (!pszFileName) return FALSE;
int cchSkip; SkipPathDrivePart(pszFileName, &cchSkip, NULL, NULL);
for (LPCTSTR pch = pszFileName + cchSkip; *pch; pch = CHARNEXT(pch)) { if (*pch == _T(':')) return TRUE; }
return FALSE;}
// SafeCreateFile [public]
//
// Opens the given file, ensuring that it meets certain path standards (e.g.
// doesn't contain "..") and that it is a file, not a device or named pipe.
//
HRESULT WINAPI SafeCreateFile ( OUT HANDLE* phFileResult, // receives handle to opened file, or INVALID_HANDLE_VALUE
IN DWORD dwSafeFlags, // zero or more SCF_* flags
IN LPCTSTR pszFileName, // same as CreateFile
IN DWORD dwDesiredAccess, // same as CreateFile
IN DWORD dwShareMode, // same as CreateFile
IN LPSECURITY_ATTRIBUTES lpSecurityAttributes, // same as CreateFile
IN DWORD dwCreationDisposition, // same as CreateFile
IN DWORD dwFlagsAndAttributes, // same as CreateFile + (SECURITY_SQOS_PRESENT|SECURITY_ANONYMOUS)
IN HANDLE hTemplateFile // same as CreateFile
){ HANDLE hFile = INVALID_HANDLE_VALUE; HRESULT hr = S_OK;
// BLOCK
{ if (!pszFileName || !phFileResult || (dwSafeFlags & ~(SCF_ALLOW_NETWORK_DRIVE | SCF_ALLOW_REMOVABLE_DRIVE | SCF_ALLOW_ALTERNATE_STREAM))) { hr = E_INVALIDARG; goto done; }
// We require a full pathname.
if (!IsFullPathName(pszFileName)) { hr = HRESULT_FROM_WIN32(ERROR_PATH_NOT_FOUND); goto done; }
// Ensure path doesn't contain ".." references
if (DoesPathContainDotDot(pszFileName)) { hr = HRESULT_FROM_WIN32(ERROR_BAD_PATHNAME); goto done; }
// Ensure filename doesn't refer to alternate stream unless allowed
if (!(dwSafeFlags & SCF_ALLOW_ALTERNATE_STREAM) && DoesPathContainStreamSyntax(pszFileName)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_NAME); goto done; }
// Check drive type to ensure it's allowed by dwSafeFlags
if (FAILED(hr = CheckValidDriveType(pszFileName, (dwSafeFlags & SCF_ALLOW_NETWORK_DRIVE), (dwSafeFlags & SCF_ALLOW_REMOVABLE_DRIVE)))) { goto done; }
// Open the file w/ extra security attributes
dwFlagsAndAttributes |= (SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS); hFile = CreateFile(pszFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile); if (hFile == INVALID_HANDLE_VALUE) { goto win32_error; }
// Ensure it's really a file
if (FILE_TYPE_DISK != GetFileType(hFile)) { CloseHandle(hFile); hFile = INVALID_HANDLE_VALUE; hr = HRESULT_FROM_WIN32(ERROR_OPEN_FAILED); } goto done;
} // end BLOCK
win32_error: hr = GetLastErrorAsHresult();
done: if (phFileResult) *phFileResult = hFile; ASSERT(hr != E_INVALIDARG); return hr;}
// SafeRemoveFileAttributes [public]
//
// Given a filename and that file's current attributes, checks whether
// any of the bits in dwRemoveAttrib need to be removed from the file,
// and if necessary calls SetFileAttributes() to remove them.
//
// Designed to check for invalid dwCurAttrib and call GetLastError()
// for you, so you can pass GetFileAttributes() directly as a parameter.
//
HRESULT WINAPI SafeRemoveFileAttributes ( IN LPCTSTR pszFileName, // full path to file whose attributes we will change
IN DWORD dwCurAttrib, // current attributes of the file
IN DWORD dwRemoveAttrib // attribute bits to remove
){ HRESULT hr = S_OK; // this is default if attrib doesn't need to be removed
if (!pszFileName || !dwRemoveAttrib) { hr = E_INVALIDARG; goto done; }
if (dwCurAttrib & dwRemoveAttrib) // note: always true if dwCurAttrib==INVALID_FILE_ATTRIBUTES
{ if (dwCurAttrib == INVALID_FILE_ATTRIBUTES || !SetFileAttributes(pszFileName, dwCurAttrib & ~dwRemoveAttrib)) { hr = GetLastErrorAsHresult(); } }
done: ASSERT(hr != E_INVALIDARG); return hr;}
// SafeDeleteFolderAndContentsHelper [private]
//
// Does all work except the parameter validation for for
// SafeDeleteFolderAndContents.
//
static HRESULT SafeDeleteFolderAndContentsHelper ( IN LPCTSTR pszFolderToDelete, // folder in current level of recursion
IN DWORD dwSafeFlags, // zero or more SDF_* flags
OUT WIN32_FIND_DATA* pFind // struct to use for FindFirst/FindNext (to avoid malloc)
){ HRESULT hr = S_OK; LPTSTR pszCurFile = NULL; HANDLE hFind = INVALID_HANDLE_VALUE;
// Allocate room for folder + backslash + MAX_PATH (includes trailing null)
int cchFolderName = lstrlen(pszFolderToDelete); int cchAllocCurFile = cchFolderName + 1 + MAX_PATH; pszCurFile = (LPTSTR)SafeFileMalloc(sizeof(TCHAR) * cchAllocCurFile); if (!pszCurFile) { hr = E_OUTOFMEMORY; goto done; }
// Check for read-only base folder
if (dwSafeFlags & SDF_DELETE_READONLY_FILES) { hr = SafeRemoveFileAttributes(pszFolderToDelete, GetFileAttributes(pszFolderToDelete), FILE_ATTRIBUTE_READONLY); if (FAILED(hr) && !(dwSafeFlags & SDF_CONTINUE_IF_ERROR)) goto done; }
// Build search path by appending "\*.*"
StringCchCopy(pszCurFile, cchAllocCurFile, pszFolderToDelete); if (!IsSlashOrBackslash(pszCurFile[cchFolderName-1])) pszCurFile[cchFolderName++] = _T('\\'); StringCchCopy(pszCurFile + cchFolderName, cchAllocCurFile - cchFolderName, _T("*.*"));
// Iterate through all files in this folder
hFind = FindFirstFile(pszCurFile, pFind); if (hFind == INVALID_HANDLE_VALUE) { hr = GetLastErrorAsHresult(); // probably doesn't exist, or not a folder
goto done; } else { do { if (0 == lstrcmp(pFind->cFileName, _T(".")) || 0 == lstrcmp(pFind->cFileName, _T(".."))) { continue; }
StringCchCopy(pszCurFile + cchFolderName, cchAllocCurFile - cchFolderName, pFind->cFileName); HRESULT hrCur = S_OK;
if (!(pFind->dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) || SUCCEEDED(hrCur = CheckReparsePointPermissions(pFind->dwReserved0))) { // Remove read-only attribute if allowed
if (dwSafeFlags & SDF_DELETE_READONLY_FILES) { hrCur = SafeRemoveFileAttributes(pszCurFile, pFind->dwFileAttributes, FILE_ATTRIBUTE_READONLY); }
if (SUCCEEDED(hrCur) || (dwSafeFlags & SDF_CONTINUE_IF_ERROR)) { HRESULT hrCur2 = S_OK;
if (pFind->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { // Recursively delete folder and contents
// Note that pFind's contents are clobbered by this call
hrCur2 = SafeDeleteFolderAndContentsHelper(pszCurFile, dwSafeFlags, pFind); } else { // Delete the file
if (!DeleteFile(pszCurFile)) { hrCur2 = GetLastErrorAsHresult(); } }
if (FAILED(hrCur2)) hrCur = hrCur2; } }
if (FAILED(hrCur)) hr = hrCur;
if (FAILED(hr) && !(dwSafeFlags & SDF_CONTINUE_IF_ERROR)) goto done;
} while (FindNextFile(hFind, pFind)); FindClose(hFind); hFind = INVALID_HANDLE_VALUE; }
// Delete the folder
if (!RemoveDirectory(pszFolderToDelete)) { if (SUCCEEDED(hr)) hr = GetLastErrorAsHresult(); }
done: if (hFind != INVALID_HANDLE_VALUE) FindClose(hFind); SafeFileFree(pszCurFile); return hr;}
// SafeDeleteFolderAndContents [public]
//
// Deletes the given folder and all of its contents, but refuses to walk
// across reparse points.
//
HRESULT WINAPI SafeDeleteFolderAndContents ( IN LPCTSTR pszFolderToDelete, // full path of folder to delete
IN DWORD dwSafeFlags // zero or more SDF_* flags
){ HRESULT hr = E_INVALIDARG;
if (!pszFolderToDelete || !(*pszFolderToDelete) || (dwSafeFlags & ~(SDF_ALLOW_NETWORK_DRIVE | SDF_DELETE_READONLY_FILES | SDF_CONTINUE_IF_ERROR))) { goto done; // hr already set to E_INVALIDARG
}
//
// Ensure it's a full path, but not the root of a drive
//
int cchDrivePart; if (!SkipPathDrivePart(pszFolderToDelete, &cchDrivePart, NULL, NULL) || pszFolderToDelete[cchDrivePart] == _T('\0')) { hr = HRESULT_FROM_WIN32(ERROR_BAD_PATHNAME); goto done; }
//
// Ensure we're not deleting from a network drive unless allowed
//
if (FAILED(hr = CheckValidDriveType(pszFolderToDelete, (dwSafeFlags & SDF_ALLOW_NETWORK_DRIVE), TRUE))) { goto done; }
//
// Ensure starting point is not a reparse point
//
DWORD dwReparseType; if (FAILED(hr = GetReparsePointType(pszFolderToDelete, &dwReparseType)) || FAILED(hr = CheckReparsePointPermissions(dwReparseType))) { goto done; }
WIN32_FIND_DATA Find; hr = SafeDeleteFolderAndContentsHelper(pszFolderToDelete, dwSafeFlags, &Find);
done: ASSERT(hr != E_INVALIDARG); return hr;}
// SafeFileCheckForReparsePoint [public]
//
// Checks a subset of the given filename's component parts to ensure that
// they are not reparse points (specifically, volume mount points or
// junction points: see linkd.exe and mountvol.exe).
//
// Normal return values are S_OK or HRESULT_FROM_WIN32(ERROR_REPARSE_TAG_MISMATCH).
// Other values may be returned in exceptional cases such as out-of-memory.
//
HRESULT WINAPI SafeFileCheckForReparsePoint ( IN LPCTSTR pszFileName, // full path of a file
IN int nFirstUntrustedOffset, // char offset of first path component to check
IN DWORD dwSafeFlags // zero or more SRP_* flags
){ HRESULT hr = E_INVALIDARG; LPTSTR pszMutableFileName = NULL;
// BLOCK
{ if (!pszFileName || (dwSafeFlags & ~SRP_FILE_MUST_EXIST)) { goto done; // hr is already E_INVALIDARG
}
int cchFileName = lstrlen(pszFileName); if ((UINT)nFirstUntrustedOffset >= (UINT)cchFileName) // bad offset, or zero-length filename
{ goto done; // hr is already E_INVALIDARG
}
pszMutableFileName = (LPTSTR)SafeFileMalloc(sizeof(TCHAR) * (cchFileName+1)); if (!pszMutableFileName) { hr = E_OUTOFMEMORY; goto done; } StringCchCopy(pszMutableFileName, cchFileName+1, pszFileName);
//
// Always consider the drive part of the path to be trusted
//
int cchDrivePart; if (!SkipPathDrivePart(pszMutableFileName, &cchDrivePart, NULL, NULL)) { hr = HRESULT_FROM_WIN32(ERROR_BAD_PATHNAME); goto done; } if (nFirstUntrustedOffset < cchDrivePart) nFirstUntrustedOffset = cchDrivePart;
//
// Validate left-to-right, starting after trusted base path
//
LPTSTR pszNextComponent = pszMutableFileName + nFirstUntrustedOffset; BOOL fMoreComponents = TRUE; do { //
// Advance pszNextComponent; truncate after current path component
//
fMoreComponents = MyPathFindNextComponent(pszNextComponent, TRUE, (LPCTSTR*)&pszNextComponent); TCHAR chSave = *(pszNextComponent-1); if (fMoreComponents) { *(pszNextComponent-1) = _T('\0'); }
// Get reparse point type of truncated string, and undo the truncation
DWORD dwReparseType; if (FAILED(hr = GetReparsePointType(pszMutableFileName, &dwReparseType))) goto done; *(pszNextComponent-1) = chSave;
// Check for forbidden reparse point type, e.g. mounted drive
if (FAILED(hr = CheckReparsePointPermissions(dwReparseType))) goto done; } while (fMoreComponents);
} // end BLOCK
done: SafeFileFree(pszMutableFileName);
// Ignore file-not-found errors, if requested in dwSafeFlags
if (!(dwSafeFlags & SRP_FILE_MUST_EXIST) && (hr == HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) || hr == HRESULT_FROM_WIN32(ERROR_PATH_NOT_FOUND))) { hr = S_OK; }
ASSERT(hr != E_INVALIDARG); return hr;}
// SafePathCombine [public]
//
// Combines a path and filename, ensuring exactly one backslash between them.
// The second "untrusted" half of the path is checked to ensure that it is
// safe (doesn't contain ".." or ":", or point to existing reparse points).
//
// File-not-found errors are ignored unless SPC_FILE_MUST_EXIST flag is specified.
//
// It's ok for the base path and the output buffer to point to the same buffer.
//
// Returns S_OK if successful, or an appropriate error code if not.
//
HRESULT WINAPI SafePathCombine ( OUT LPTSTR pszBuf, // buffer where combined path will be stored
IN int cchBuf, // size of output buffer, in TCHARs
IN LPCTSTR pszTrustedBasePath, // first half of path, all trusted
IN LPCTSTR pszUntrustedFileName, // second half of path, not trusted
IN DWORD dwSafeFlags // zero or more SPC_* flags
){ HRESULT hr = E_INVALIDARG;
if (!pszBuf || cchBuf <= 0 || !pszTrustedBasePath || !pszUntrustedFileName || (dwSafeFlags & ~(SPC_FILE_MUST_EXIST | SPC_ALLOW_ALTERNATE_STREAM))) { goto done; // hr is already E_INVALIDARG
}
// BLOCK
{ int cchBasePath = lstrlen(pszTrustedBasePath); int cchFileName = lstrlen(pszUntrustedFileName); if (cchBasePath == 0 || cchFileName == 0) { goto done; // hr is already E_INVALIDARG
}
// Ensure nothing bogus in the untrusted part of the filename
if (DoesPathContainDotDot(pszUntrustedFileName)) { hr = ERROR_BAD_PATHNAME; goto done; }
if (!(dwSafeFlags & SPC_ALLOW_ALTERNATE_STREAM) && DoesPathContainStreamSyntax(pszUntrustedFileName)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_NAME); goto done; }
//
// Ensure room for the "\" that will be inserted.
//
int cchInsertSlash = 0; if (!IsSlashOrBackslash(pszTrustedBasePath[cchBasePath-1])) { cchInsertSlash = 1; } if (cchBasePath + cchInsertSlash + cchFileName >= cchBuf) { hr = HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER); goto done; }
//
// Build full path with a backslash between
//
if (pszBuf != pszTrustedBasePath) StringCchCopy(pszBuf, cchBuf, pszTrustedBasePath); int cchUsed = cchBasePath; if (cchInsertSlash > 0) { pszBuf[cchUsed++] = _T('\\'); } StringCchCopy(pszBuf + cchUsed, cchBuf - cchUsed, pszUntrustedFileName);
//
// Ensure no junctions or volume mount points in untrusted portion
//
DWORD dwReparseFlags = (dwSafeFlags & SPC_FILE_MUST_EXIST) ? SRP_FILE_MUST_EXIST : 0; hr = SafeFileCheckForReparsePoint(pszBuf, cchUsed, dwReparseFlags); }
done: if (FAILED(hr) && pszBuf && cchBuf > 0) pszBuf[0] = _T('\0');
ASSERT(hr != E_INVALIDARG); return hr;}
// SafePathCombineAlloc [public]
//
// See comments for SafePathCombine. The only difference is that this
// function allocates a buffer of sufficient size and stores it in the
// output parameter ppszResult. Caller is responsible for freeing the
// buffer via SafeFileFree.
//
HRESULT WINAPI SafePathCombineAlloc ( OUT LPTSTR* ppszResult, // ptr to newly alloc'd buffer stored here
IN LPCTSTR pszTrustedBasePath, // first half of path, all trusted
IN LPCTSTR pszUntrustedFileName, // second half of path, not trusted
IN DWORD dwSafeFlags // zero or more SPC_* flags
){ HRESULT hr = E_INVALIDARG;
ASSERT(ppszResult); *ppszResult = NULL;
if (!pszTrustedBasePath || !pszUntrustedFileName) { goto done; // hr already set to E_INVALIDARG
}
// Allocate room for the max possible length (includes room for "\" between parts)
int cchMaxNeeded = lstrlen(pszTrustedBasePath) + lstrlen(pszUntrustedFileName) + 2; LPTSTR pszResult = (LPTSTR)SafeFileMalloc(sizeof(TCHAR) * cchMaxNeeded); if (!pszResult) { hr = E_OUTOFMEMORY; goto done; }
hr = SafePathCombine(pszResult, cchMaxNeeded, pszTrustedBasePath, pszUntrustedFileName, dwSafeFlags); if (FAILED(hr)) { SafeFileFree(pszResult); } else { *ppszResult = pszResult; }
done: ASSERT(hr != E_INVALIDARG); return hr;}
|
