You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
532 lines
16 KiB
532 lines
16 KiB
/*++
|
|
|
|
Copyright (c) 1999-2000 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
SafePath.c (WinSAFER Path Comparison)
|
|
|
|
Abstract:
|
|
|
|
This module implements the WinSAFER APIs that evaluate the system
|
|
policies to determine which Authorization Level has been configured
|
|
to apply restrictions for a specified application or code library.
|
|
|
|
Author:
|
|
|
|
Jeffrey Lawson (JLawson) - Nov 1999
|
|
|
|
Environment:
|
|
|
|
User mode only.
|
|
|
|
Exported Functions:
|
|
|
|
CodeAuthzpCompareImagePath
|
|
|
|
Revision History:
|
|
|
|
Created - Nov 1999
|
|
|
|
--*/
|
|
|
|
#include "pch.h"
|
|
#pragma hdrstop
|
|
#include <winsafer.h>
|
|
#include <winsaferp.h>
|
|
#include "saferp.h"
|
|
|
|
|
|
|
|
//
|
|
// Define the following value to use the "new" comparison logic,
|
|
// that includes asterick and question mark matching.
|
|
//
|
|
#define USE_NEW_WILDCARD_EVALUATION
|
|
|
|
|
|
|
|
//
|
|
// Convenient macros for doing filename pattern matching.
|
|
//
|
|
#define IS_UCASE_CHARS_EQUAL_U(ch1, ch2) (((ch1) == (ch2)) || (RtlUpcaseUnicodeChar(ch1) == RtlUpcaseUnicodeChar(ch2)))
|
|
#define IS_PATH_SEPARATOR_U(ch) (((ch) == L'\\') || ((ch) == L'/'))
|
|
#define IS_WILDCARD_CHAR_U(ch) ((ch) == L'*')
|
|
#define IS_QUESTION_CHAR_U(ch) ((ch) == L'?')
|
|
#define IS_DOT_CHAR_U(ch) ((ch) == L'.')
|
|
|
|
|
|
|
|
FORCEINLINE LPCWSTR CodeAuthzpFindSlash (
|
|
IN LPCWSTR string,
|
|
IN USHORT length
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Returns a pointer to the first instance of a forward or
|
|
backward slash within the specified string buffer.
|
|
|
|
Arguments:
|
|
|
|
string -
|
|
|
|
length -
|
|
|
|
Return Value:
|
|
|
|
Returns NULL if no backslashes or forward-slashes were found within
|
|
the string. Otherwise returns a pointer to the matching char.
|
|
|
|
--*/
|
|
{
|
|
while (length-- > 0) {
|
|
if (IS_PATH_SEPARATOR_U(*string)) return string;
|
|
string++;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef USE_NEW_WILDCARD_EVALUATION
|
|
LONG NTAPI
|
|
__CodeAuthzpCompareImagePathHelper(
|
|
IN LPCWSTR wild,
|
|
IN USHORT wildlen,
|
|
IN LPCWSTR actual,
|
|
IN USHORT actuallen
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Evaluates a wildcard pattern against a specified pathname and
|
|
indicates if they match.
|
|
|
|
Arguments:
|
|
|
|
wild -
|
|
|
|
wildlen -
|
|
|
|
actual -
|
|
|
|
actuallen -
|
|
|
|
Return Value:
|
|
|
|
0 = no match
|
|
-1 = match exactly
|
|
1 = match with wildcard
|
|
|
|
--*/
|
|
{
|
|
LONG lMatchResult = -1;
|
|
|
|
ASSERT(ARGUMENT_PRESENT(wild) &&
|
|
!CodeAuthzpFindSlash(wild, wildlen));
|
|
ASSERT(ARGUMENT_PRESENT(actual) &&
|
|
!CodeAuthzpFindSlash(actual, actuallen));
|
|
|
|
for (;;) {
|
|
// Check for terminating conditions.
|
|
if (wildlen == 0) {
|
|
if (actuallen == 0) {
|
|
return lMatchResult;
|
|
} else {
|
|
ASSERT(actuallen > 0);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
// Evaluate the wildcard pattern.
|
|
if (IS_WILDCARD_CHAR_U(*wild)) {
|
|
USHORT matchcount;
|
|
|
|
// Skip past the asterick (possibly multiple).
|
|
do {
|
|
wild++; wildlen--;
|
|
} while ( wildlen > 0 && IS_WILDCARD_CHAR_U(*wild) );
|
|
|
|
// Try expanding the asterick to be zero or more chars.
|
|
for (matchcount = 0; ; matchcount++) {
|
|
if (matchcount > actuallen) {
|
|
return 0; // match failed.
|
|
}
|
|
if (0 != __CodeAuthzpCompareImagePathHelper(
|
|
wild, wildlen,
|
|
&actual[matchcount], actuallen - matchcount))
|
|
{
|
|
actual += matchcount;
|
|
actuallen -= matchcount;
|
|
break;
|
|
}
|
|
}
|
|
|
|
// We've encountered a wildcard char, so remember
|
|
// that this is no longer an "exact" match.
|
|
lMatchResult = 1;
|
|
|
|
} else if (IS_QUESTION_CHAR_U(*wild)) {
|
|
// Question marks will match any single character, except
|
|
// periods. Question marks will also match nothing when
|
|
// we are already at the end of the filename or segment.
|
|
|
|
if (actuallen > 0 && !IS_DOT_CHAR_U(*actual)) {
|
|
actual++; actuallen--;
|
|
}
|
|
wild++; wildlen--;
|
|
|
|
// We've encountered a wildcard char, so remember
|
|
// that this is no longer an "exact" match.
|
|
lMatchResult = 1;
|
|
|
|
} else {
|
|
if (actuallen < 1 ||
|
|
!IS_UCASE_CHARS_EQUAL_U(*wild, *actual)) {
|
|
return 0;
|
|
}
|
|
wild++; wildlen--;
|
|
actual++; actuallen--;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
LONG NTAPI
|
|
CodeAuthzpCompareUnicodeImagePath(
|
|
IN PCUNICODE_STRING wildcard,
|
|
IN PCUNICODE_STRING actual
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Evaluates a wildcard pattern against a specified pathname and
|
|
indicates if they match.
|
|
|
|
Arguments:
|
|
|
|
wildcard -
|
|
|
|
actual -
|
|
|
|
Return Value:
|
|
|
|
Returns 0 if the path fragment does not match the specified imagepath.
|
|
Returns -1 if the fragment matches the imagepath _exactly_!
|
|
Otherwise returns a postive integer representing the "depth" of the
|
|
the match (number of matching subdirectories). Greater values
|
|
indicate a "deeper" directory match.
|
|
|
|
--*/
|
|
|
|
{
|
|
USHORT wildindex = 0, actualindex = 0;
|
|
LONG matchquality = 0;
|
|
BOOLEAN bNoWildcardsFound = TRUE;
|
|
|
|
ASSERT(ARGUMENT_PRESENT(wildcard) && wildcard->Buffer != NULL);
|
|
ASSERT(ARGUMENT_PRESENT(actual) && actual->Buffer != NULL);
|
|
for (;;)
|
|
{
|
|
ASSERT(wildindex <= wildcard->Length / sizeof(WCHAR));
|
|
ASSERT(actualindex <= actual->Length / sizeof(WCHAR));
|
|
|
|
if (wildindex == wildcard->Length / sizeof(WCHAR))
|
|
{
|
|
// We've reached the end of the wildcard but the actual string has
|
|
// not ended.
|
|
if (actualindex < actual->Length / sizeof(WCHAR)) {
|
|
return matchquality;
|
|
}
|
|
|
|
// The wildcard matched the filename but with inexact matches.
|
|
// Return one more than the actual depth so that we can handle
|
|
// non-qualified path matches as worse then these.
|
|
if (!bNoWildcardsFound) {
|
|
return (matchquality + 1);
|
|
}
|
|
|
|
ASSERT(wildindex == wildcard->Length / sizeof(WCHAR));
|
|
return -1; // exact match.
|
|
}
|
|
else if (IS_PATH_SEPARATOR_U(wildcard->Buffer[wildindex]))
|
|
{
|
|
if (!IS_PATH_SEPARATOR_U(actual->Buffer[actualindex])) {
|
|
return 0; // no match
|
|
}
|
|
|
|
// Skip forward to the start of the next component.
|
|
do {
|
|
wildindex++;
|
|
} while ( wildindex < wildcard->Length / sizeof(WCHAR) &&
|
|
IS_PATH_SEPARATOR_U(wildcard->Buffer[wildindex]) );
|
|
|
|
// Skip forward to the start of the next component.
|
|
do {
|
|
actualindex++;
|
|
} while ( actualindex < actual->Length / sizeof(WCHAR) &&
|
|
IS_PATH_SEPARATOR_U(actual->Buffer[actualindex]) );
|
|
}
|
|
else
|
|
{
|
|
USHORT wildlen = 0, actuallen = 0;
|
|
|
|
// Count the length of this component of the wildcard.
|
|
while (wildindex + wildlen < (USHORT) (wildcard->Length / sizeof(WCHAR)) &&
|
|
!IS_PATH_SEPARATOR_U(wildcard->Buffer[wildindex + wildlen])) {
|
|
wildlen++;
|
|
}
|
|
ASSERT(wildlen > 0);
|
|
|
|
// Count the length of this component of the actual path.
|
|
while (actualindex + actuallen < (USHORT) (actual->Length / sizeof(WCHAR)) &&
|
|
!IS_PATH_SEPARATOR_U(actual->Buffer[actualindex + actuallen])) {
|
|
actuallen++;
|
|
}
|
|
|
|
// Otherwise require that this component matches.
|
|
switch (__CodeAuthzpCompareImagePathHelper(
|
|
&wildcard->Buffer[wildindex], wildlen,
|
|
&actual->Buffer[actualindex], actuallen)) {
|
|
case 0: // fails to match
|
|
return 0;
|
|
case -1: // matches exactly without wildcards
|
|
break;
|
|
default: // matches with wildcard expansion.
|
|
bNoWildcardsFound = FALSE; break;
|
|
}
|
|
|
|
// Increment pointers for next component.
|
|
wildindex += wildlen;
|
|
actualindex += actuallen;
|
|
matchquality++;
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
LONG NTAPI
|
|
CodeAuthzpCompareImagePath(
|
|
IN LPCWSTR szPathFragment,
|
|
IN LPCWSTR szFullImagePath
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Evaluates a wildcard pattern against a specified pathname and
|
|
indicates if they match.
|
|
|
|
Arguments:
|
|
|
|
szPathFragment -
|
|
|
|
szFullImagePath -
|
|
|
|
Return Value:
|
|
|
|
Returns 0 if the path fragment does not match the specified imagepath.
|
|
Returns -1 if the fragment matches the imagepath _exactly_!
|
|
Otherwise returns a postive integer representing the "depth" of the
|
|
the match (number of matching subdirectories). Greater values
|
|
indicate a "deeper" directory match.
|
|
|
|
--*/
|
|
{
|
|
UNICODE_STRING UnicodePathFragment;
|
|
UNICODE_STRING UnicodeFullImagePath;
|
|
ULONG i = 0;
|
|
USHORT Len = 0;
|
|
LONG lMatchDepth = 0;
|
|
|
|
RtlInitUnicodeString(&UnicodePathFragment, szPathFragment);
|
|
RtlInitUnicodeString(&UnicodeFullImagePath, szFullImagePath);
|
|
lMatchDepth = CodeAuthzpCompareUnicodeImagePath(
|
|
&UnicodePathFragment, &UnicodeFullImagePath);
|
|
|
|
// We did not get a match for fully qualified name. Let's try for just a
|
|
// basename match.
|
|
if (!lMatchDepth) {
|
|
// if the rule has a '\' in it, it's not a basename match rule.
|
|
// We only check for filename.ext rules allowing wildcards.
|
|
if (wcschr(szPathFragment, L'\\')) {
|
|
return 0;
|
|
}
|
|
|
|
Len = (UnicodeFullImagePath.Length/sizeof(WCHAR)) -1;
|
|
|
|
// Skip from rightmost character to the the character just after the
|
|
// last '\', if any or to the beginning of the string in absence of '\'.
|
|
while (Len > 0 && szFullImagePath[Len] != L'\\') {
|
|
Len--;
|
|
}
|
|
|
|
// A '\' exists. Move one character to the right.
|
|
if (szFullImagePath[Len] == L'\\') {
|
|
Len++;
|
|
}
|
|
|
|
// Check if there is a match of the file basename with the rule. We have
|
|
// already checked that the rule does not have '\'.
|
|
switch (__CodeAuthzpCompareImagePathHelper(
|
|
szPathFragment, UnicodePathFragment.Length/sizeof(WCHAR),
|
|
szFullImagePath+Len, (UnicodeFullImagePath.Length/sizeof(WCHAR))-Len)) {
|
|
case 0: // fails to match
|
|
return 0;
|
|
case -1: // matches exactly without wildcards
|
|
default: // matches with wildcard expansion.
|
|
|
|
// We treat exact matches the same as inexact matches here.
|
|
// Thus, abc.exe is == a*.exe = *.exe.
|
|
|
|
// Skip to the first non-'\' character.
|
|
while ((szFullImagePath[i] == L'\\') && (szFullImagePath[i] != L'\0')) {
|
|
i++;
|
|
}
|
|
|
|
// This string is bogus. It only has 0 or more '\'s in it.
|
|
if (szFullImagePath[i] == L'\0') {
|
|
return 0;
|
|
}
|
|
|
|
// Return the depth of the tree.
|
|
lMatchDepth = 1;
|
|
while (TRUE) {
|
|
|
|
// Skip to the first '\' while not end of string.
|
|
while ((szFullImagePath[i] != L'\\') && (szFullImagePath[i] != L'\0')) {
|
|
i++;
|
|
}
|
|
|
|
// We are at the end of the string. Return the depth.
|
|
if (szFullImagePath[i] == L'\0') {
|
|
return lMatchDepth;
|
|
}
|
|
|
|
// Skip to the first non-'\' while not end of string.
|
|
while ((szFullImagePath[i] == L'\\') && (szFullImagePath[i] != L'\0')) {
|
|
i++;
|
|
}
|
|
|
|
// We are at a non-'\' character. Increment the depth.
|
|
lMatchDepth++;
|
|
}
|
|
|
|
// Should never get here.
|
|
ASSERT(FALSE);
|
|
}
|
|
}
|
|
|
|
return lMatchDepth;
|
|
}
|
|
|
|
|
|
|
|
#else // #ifdef USE_NEW_WILDCARD_EVALUATION
|
|
|
|
|
|
LONG NTAPI
|
|
CodeAuthzpCompareImagePath(
|
|
IN LPCWSTR szPathFragment,
|
|
IN LPCWSTR szFullImagePath
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Evaluates a wildcard pattern against a specified pathname and
|
|
indicates if they match.
|
|
|
|
Arguments:
|
|
|
|
szPathFragment -
|
|
|
|
szFullImagePath -
|
|
|
|
Return Value:
|
|
|
|
Returns 0 if the path fragment does not match the specified imagepath.
|
|
Returns -1 if the fragment matches the imagepath _exactly_!
|
|
Otherwise returns a postive integer representing the "depth" of the
|
|
the match (number of matching subdirectories). Greater values
|
|
indicate a "deeper" directory match.
|
|
|
|
--*/
|
|
{
|
|
LONG MatchDepth = 0;
|
|
BOOLEAN bLastWasSlash = TRUE;
|
|
LPCWSTR pFragment = szPathFragment;
|
|
LPCWSTR pImage = szFullImagePath;
|
|
|
|
|
|
//
|
|
// Verify that our arguments were all supplied.
|
|
//
|
|
ASSERT(ARGUMENT_PRESENT(pFragment) && ARGUMENT_PRESENT(pImage));
|
|
if (!*pFragment || !*pImage) return 0; // empty strings.
|
|
|
|
|
|
|
|
//
|
|
// Perform the actual comparison loop.
|
|
//
|
|
for (;;) {
|
|
if (!*pFragment)
|
|
{
|
|
// We have reached the string terminator at the end of the
|
|
// wildcard fragment. If this was also the end of the
|
|
// actual filename, then this is a precise match. Otherwise
|
|
// we'll only consider this a positive partial match if this
|
|
// occurred on a path-separator boundary.
|
|
if (!*pImage) return -1; // matched exactly.
|
|
else if (bLastWasSlash) break;
|
|
else if (IS_PATH_SEPARATOR_U(*pImage)) break;
|
|
else return 0; // did not match.
|
|
}
|
|
else if (!*pImage)
|
|
{
|
|
// We have reached the end of the actual filename, but have
|
|
// not yet found the end of the wildcard fragment.
|
|
return 0; // did not match.
|
|
}
|
|
else if (!IS_UCASE_CHARS_EQUAL_U(*pFragment, *pImage))
|
|
{
|
|
// The two characters were unequal. However, this condition
|
|
// might occur if multiple path separators occur in one and
|
|
// not the other, so explicitly absorb multiple slashes.
|
|
if (bLastWasSlash) {
|
|
if (IS_PATH_SEPARATOR_U(*pFragment)) { pFragment++; continue; }
|
|
else if (IS_PATH_SEPARATOR_U(*pImage)) { pImage++; continue; }
|
|
}
|
|
return 0; // did not match.
|
|
}
|
|
else
|
|
{
|
|
// Both characters matched. Remember if they were slashes.
|
|
// If this is a transition to a non-separator portion of the
|
|
// filename, then increment our depth counter.
|
|
if (IS_PATH_SEPARATOR_U(*pFragment)) {
|
|
bLastWasSlash = TRUE;
|
|
} else {
|
|
if (bLastWasSlash) {
|
|
MatchDepth++;
|
|
bLastWasSlash = FALSE;
|
|
}
|
|
}
|
|
}
|
|
pFragment++;
|
|
pImage++;
|
|
}
|
|
return MatchDepth;
|
|
}
|
|
|
|
#endif //#ifdef USE_NEW_WILDCARD_EVALUATION
|
|
|
|
|