New option -close_filter_list

xorriso/xorriso.1

@@ -2,7 +2,7 @@
 .\" First parameter, NAME, should be all caps
 .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
 .\" other parameters are allowed: see man(7), man(1)
-.TH XORRISO 1 "Apr 03, 2009"
+.TH XORRISO 1 "Apr 04, 2009"
 .\" Please adjust this date whenever revising the manpage.
 .\"
 .\" Some roff macros, for reference:
@@ -1125,6 +1125,13 @@ Examples:
 Remove an -external_filter registration. This is only possible if the filter
 is not applied to any file in the ISO image.
 .TP
+\fB\-close_filter_list\fR
+Irrevocably ban commands -external_filter and -unregister_filter,
+but not -set_filter. Use this to prevent external filtering in general or
+when all intended filters are registered.
+External filters may also be banned totally at compile time of xorriso.
+By default they are banned if xorriso runs under setuid permission.
+.TP
 \fB\-set_filter\fR name iso_rr_path [***]
 Apply an -external_filter to the given data files in the ISO image.
 If the filter suffix is not empty , then it will be appended to the file name.

xorriso/xorriso.c

@@ -4096,6 +4096,7 @@ int Xorriso_new(struct XorrisO ** xorriso,char *progname, int flag)
  m->global_dir_mode= 0555;
  m->global_file_mode= 0444;
  m->filters= NULL;
+ m->filter_list_closed= 0;
  m->do_overwrite= 2;
  m->do_reassure= 0;
  m->drive_blacklist= NULL;
@@ -12641,6 +12642,14 @@ int Xorriso_option_close(struct XorrisO *xorriso, char *mode, int flag)
 }
 
 
+/* Option -close_filter_list */
+int Xorriso_option_close_filter_list(struct XorrisO *xorriso, int flag)
+{
+ xorriso->filter_list_closed= 1;
+ return(1);
+}
+
+
 /* Option -commit */
 /* @param flag bit0= leave indrive and outdrive aquired as they were,
                      i.e. do not aquire outdrive as new in-out-drive
@@ -14257,16 +14266,29 @@ int Xorriso_option_help(struct XorrisO *xorriso, int flag)
 "Filter options:",
 "External filter processes may produce synthetic file content by reading the",
 "original content from stdin and writing to stdout whatever they want.",
+
+#ifdef Xorriso_allow_external_filterS
+
 "  -external_filter name option[:option] program_path [arguments] --",
 "                 Define an external filter. Options are: suffix=...: ",
 "                 remove_suffix:if_nonempty:if_reduction:if_block_reduction.",
 "  -unregister_filter name",
 "                 Undefine an external filter.",
+"  -close_filter_list",
+"                 Irrevocably ban -external_filter and -unregister_filter.",
 "  -set_filter name iso_rr_path [***]",
 "                 Apply a defined filter to the given data files.",
 "                 Special name \"--remove-all-filters\" revokes filtering.",
 "  -set_filter_r name iso_rr_path [***]",
 "                 Like -set_filter but affecting all files below directories.",
+
+#else
+
+"Sorry: The use of external filters was not enabled at compile time.",
+"       E.g. by ./configure option --enable-external-filters",
+
+#endif /* ! Xorriso_allow_external_filterS */
+
 "",
 "Write-to-media options:",
 "  -rollback      Discard the manipulated ISO image and reload it.",
@@ -17008,7 +17030,7 @@ int Xorriso_count_args(struct XorrisO *xorriso, int argc, char **argv,
  int ret, was_dashed= 0, i;
  char *cmd, cmd_data[2*SfileadrL];
  static char arg0_commands[][40]= {
-    "ban_stdio_write","commit","devices","end","help",
+    "ban_stdio_write","close_filter_list","commit","devices","end","help",
     "list_formats","no_rc","print_size","pwd","pwdi","pwdx",
     "rollback","rollback_end","tell_media_space","toc","version",
     ""
@@ -17274,6 +17296,9 @@ next_command:;
    (*idx)++;
    ret= Xorriso_option_close(xorriso, arg1, 0);
 
+ } else if(strcmp(cmd,"close_filter_list")==0) {
+   ret= Xorriso_option_close_filter_list(xorriso, 0);
+
  } else if(strcmp(cmd,"commit")==0) {
    ret= Xorriso_option_commit(xorriso, 0);
 

xorriso/xorriso_private.h

@@ -128,6 +128,7 @@ struct XorrisO { /* the global context of xorriso */
  mode_t global_file_mode;
 
  struct Xorriso_lsT *filters;
+ int filter_list_closed;
 
  int do_overwrite; /* 0=off, 1=on, 2=nondir */
  int do_reassure;  /* 0=off, 1=on, 2=tree */

xorriso/xorriso_timestamp.h

@@ -1 +1 @@
-#define Xorriso_timestamP "2009.04.04.082636"
+#define Xorriso_timestamP "2009.04.04.144009"

xorriso/xorrisoburn.c

@@ -9797,13 +9797,6 @@ int Xorriso_set_filter(struct XorrisO *xorriso, void *in_node,
 
  new_name[0]= 0;
 
- if(getuid() != geteuid()) {
-   sprintf(xorriso->info_text,
-          "-set_filter: UID and EUID differ. Will not run external programs.");
-   Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "FATAL", 0);
-   return(0);
- }
-
  node= (IsoNode *) in_node;
  if(node == NULL) {
    ret= Xorriso_get_node_by_path(xorriso, path, NULL, &node, 0);
@@ -9912,6 +9905,19 @@ cannot_append_suffix:;
    }
    ret= 1;
  } else {
+
+#ifndef Xorriso_allow_extf_suiD
+   /* This is a final safety precaution before iso_file_add_external_filter()
+      performs fork() and executes the alleged filter program.
+   */
+   if(getuid() != geteuid()) {
+     sprintf(xorriso->info_text,
+          "-set_filter: UID and EUID differ. Will not run external programs.");
+     Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "FATAL", 0);
+     return(0);
+   }
+#endif /* ! Xorriso_allow_extf_suiD */
+
    ret = iso_file_add_external_filter(file, cmd, 0);
  }
  if(flag & 2) {
@@ -9954,11 +9960,50 @@ int Xorriso_external_filter(struct XorrisO *xorriso,
                             char *name, char *options, char *path, 
                             int argc, char **argv, int flag)
 {
- int ret, delete= 0, behavior= 0, extf_flag= 0;
+ int ret, delete= 0, behavior= 0, extf_flag= 0, is_banned= 0;
  char *what, *what_next, *suffix= "";
  struct Xorriso_lsT *lst;
  struct Xorriso_extF *found_filter, *new_filter= NULL;
 
+#ifndef Xorriso_allow_external_filterS
+ /* To be controlled by: configure --enable-external-filters */
+
+ sprintf(xorriso->info_text, "%s : Banned at compile time.",
+         flag & 1 ? "-unregister_filter" : "-external_filter");
+ Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "FAILURE", 0);
+ sprintf(xorriso->info_text,
+"This may be changed at compile time by ./configure option --enable-external-filters");
+ Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "HINT", 0);
+ is_banned= 1;
+ 
+#endif /* ! Xorriso_allow_external_filterS */
+
+#ifndef Xorriso_allow_extf_suiD
+ /* To be controlled by: configure --enable-external-filters-setuid */
+
+ if(getuid() != geteuid()) {
+   sprintf(xorriso->info_text,
+          "-set_filter: UID and EUID differ. Will not run external programs.");
+   Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "FATAL", 0);
+   sprintf(xorriso->info_text,
+"This may be changed at compile time by ./configure option --enable-external-filters-setuid");
+   Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "HINT", 0);
+   is_banned= 1;
+ }
+#endif /* ! Xorriso_allow_extf_suiD */
+
+ if(is_banned)
+   return(0);
+
+ if(xorriso->filter_list_closed) {
+   sprintf(xorriso->info_text,
+           "%s : Banned by previous command -close_filter_list",
+           flag & 1 ? "-unregister_filter" : "-external_filter");
+   Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "FAILURE", 0);
+   return(0);
+ } 
+
+
  delete= flag & 1;
  ret= Xorriso_lookup_extf(xorriso, name, &lst, 0);
  if(ret < 0)
@@ -10096,5 +10141,9 @@ int Xorriso_status_extf(struct XorrisO *xorriso, char *filter, FILE *fp,
    strcat(line, " --\n");
    Xorriso_status_result(xorriso, filter, fp, flag&2);
  }
+ if(xorriso->filter_list_closed) {
+   strcpy(line, "-close_filter_list\n");
+   Xorriso_status_result(xorriso, filter, fp, flag&2);
+ }
  return(1);
 }