17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
57257d1b4Sraf  * Common Development and Distribution License (the "License").
67257d1b4Sraf  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217257d1b4Sraf 
227c478bd9Sstevel@tonic-gate /*
237257d1b4Sraf  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
247c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
257c478bd9Sstevel@tonic-gate  */
267c478bd9Sstevel@tonic-gate 
277257d1b4Sraf #include "lint.h"
287c478bd9Sstevel@tonic-gate #include "mtlib.h"
297c478bd9Sstevel@tonic-gate #include <string.h>
307c478bd9Sstevel@tonic-gate #include <syslog.h>
317c478bd9Sstevel@tonic-gate #include <sys/stat.h>
327c478bd9Sstevel@tonic-gate #include <fcntl.h>
337c478bd9Sstevel@tonic-gate #include <limits.h>
347c478bd9Sstevel@tonic-gate #include <unistd.h>
357c478bd9Sstevel@tonic-gate #include <stdlib.h>
367c478bd9Sstevel@tonic-gate #include <thread.h>
377c478bd9Sstevel@tonic-gate #include <synch.h>
387c478bd9Sstevel@tonic-gate #include <ctype.h>
397c478bd9Sstevel@tonic-gate #include <errno.h>
407c478bd9Sstevel@tonic-gate #include "libc.h"
417c478bd9Sstevel@tonic-gate #include "nlspath_checks.h"
427c478bd9Sstevel@tonic-gate 
4359f081edSraf extern const char **_environ;
447c478bd9Sstevel@tonic-gate 
457c478bd9Sstevel@tonic-gate /*
467c478bd9Sstevel@tonic-gate  * We want to prevent the use of NLSPATH by setugid applications but
477c478bd9Sstevel@tonic-gate  * not completely.  CDE depends on this very much.
487c478bd9Sstevel@tonic-gate  * Yes, this is ugly.
497c478bd9Sstevel@tonic-gate  */
507c478bd9Sstevel@tonic-gate 
517c478bd9Sstevel@tonic-gate struct trusted_systemdirs {
527c478bd9Sstevel@tonic-gate 	const char	*dir;
537c478bd9Sstevel@tonic-gate 	size_t	dirlen;
547c478bd9Sstevel@tonic-gate };
557c478bd9Sstevel@tonic-gate 
567c478bd9Sstevel@tonic-gate #define	_USRLIB	"/usr/lib/"
577c478bd9Sstevel@tonic-gate #define	_USRDT	"/usr/dt/"
587c478bd9Sstevel@tonic-gate #define	_USROW	"/usr/openwin/"
597c478bd9Sstevel@tonic-gate 
607c478bd9Sstevel@tonic-gate static const struct trusted_systemdirs	prefix[] = {
617c478bd9Sstevel@tonic-gate 	{ _USRLIB,	sizeof (_USRLIB) - 1 },
627c478bd9Sstevel@tonic-gate 	{ _USRDT,	sizeof (_USRDT) - 1 },
637c478bd9Sstevel@tonic-gate 	{ _USROW,	sizeof (_USROW) - 1 },
647c478bd9Sstevel@tonic-gate 	{ NULL,		0 }
657c478bd9Sstevel@tonic-gate };
667c478bd9Sstevel@tonic-gate 
677c478bd9Sstevel@tonic-gate static int8_t nlspath_safe;
687c478bd9Sstevel@tonic-gate 
697c478bd9Sstevel@tonic-gate /*
707c478bd9Sstevel@tonic-gate  * Routine to check the safety of a messages file.
717c478bd9Sstevel@tonic-gate  * When the program specifies a pathname and doesn't
727c478bd9Sstevel@tonic-gate  * use NLSPATH, it should specify the "safe" flag as 1.
737c478bd9Sstevel@tonic-gate  * Most checks will be disabled then.
747c478bd9Sstevel@tonic-gate  * fstat64 is done here and the stat structure is returned
757c478bd9Sstevel@tonic-gate  * to prevent duplication of system calls.
767c478bd9Sstevel@tonic-gate  *
777c478bd9Sstevel@tonic-gate  * The trust return value contains an indication of
787c478bd9Sstevel@tonic-gate  * trustworthiness (i.e., does check_format need to be called or
797c478bd9Sstevel@tonic-gate  * not)
807c478bd9Sstevel@tonic-gate  */
817c478bd9Sstevel@tonic-gate 
827c478bd9Sstevel@tonic-gate int
837c478bd9Sstevel@tonic-gate nls_safe_open(const char *path, struct stat64 *statbuf, int *trust, int safe)
847c478bd9Sstevel@tonic-gate {
857c478bd9Sstevel@tonic-gate 	int	fd;
867c478bd9Sstevel@tonic-gate 	int	trust_path;
877c478bd9Sstevel@tonic-gate 	int	systemdir = 0;
887c478bd9Sstevel@tonic-gate 	int	abs_path = 0;
897c478bd9Sstevel@tonic-gate 	int	trust_owner = 0;
907c478bd9Sstevel@tonic-gate 	int	trust_group = 0;
917c478bd9Sstevel@tonic-gate 	const struct trusted_systemdirs	*p;
927c478bd9Sstevel@tonic-gate 
937c478bd9Sstevel@tonic-gate 	/*
947c478bd9Sstevel@tonic-gate 	 * If SAFE_F has been specified or NLSPATH is safe (or not set),
957c478bd9Sstevel@tonic-gate 	 * set trust_path and trust the file as an initial value.
967c478bd9Sstevel@tonic-gate 	 */
977c478bd9Sstevel@tonic-gate 	trust_path = *trust = safe || nlspath_safe;
987c478bd9Sstevel@tonic-gate 
997c478bd9Sstevel@tonic-gate 	fd = open(path, O_RDONLY);
1007c478bd9Sstevel@tonic-gate 
1017c478bd9Sstevel@tonic-gate 	if (fd < 0)
1027c478bd9Sstevel@tonic-gate 		return (-1);
1037c478bd9Sstevel@tonic-gate 
1047c478bd9Sstevel@tonic-gate 	if (fstat64(fd, statbuf) == -1) {
1057c478bd9Sstevel@tonic-gate 		(void) close(fd);
1067c478bd9Sstevel@tonic-gate 		return (-1);
1077c478bd9Sstevel@tonic-gate 	}
1087c478bd9Sstevel@tonic-gate 
1097c478bd9Sstevel@tonic-gate 	/*
1107c478bd9Sstevel@tonic-gate 	 * Trust only files owned by root or bin (uid 2), except
1117c478bd9Sstevel@tonic-gate 	 * when specified as full path or when NLSPATH is known to
1127c478bd9Sstevel@tonic-gate 	 * be safe.
1137c478bd9Sstevel@tonic-gate 	 * Don't trust files writable by other or writable
1147c478bd9Sstevel@tonic-gate 	 * by non-bin, non-root system group.
1157c478bd9Sstevel@tonic-gate 	 * Don't trust these files even if the path is correct.
1167c478bd9Sstevel@tonic-gate 	 * Since we don't support changing uids/gids on our files,
1177c478bd9Sstevel@tonic-gate 	 * we hardcode them here for now.
1187c478bd9Sstevel@tonic-gate 	 */
1197c478bd9Sstevel@tonic-gate 
1207c478bd9Sstevel@tonic-gate 	/*
1217c478bd9Sstevel@tonic-gate 	 * if the path is absolute and does not contain "/../",
1227c478bd9Sstevel@tonic-gate 	 * set abs_path.
1237c478bd9Sstevel@tonic-gate 	 */
1247c478bd9Sstevel@tonic-gate 	if (*path == '/' && strstr(path, "/../") == NULL) {
1257c478bd9Sstevel@tonic-gate 		abs_path = 1;
1267c478bd9Sstevel@tonic-gate 		/*
1277c478bd9Sstevel@tonic-gate 		 * if the path belongs to the trusted system directory,
1287c478bd9Sstevel@tonic-gate 		 * set systemdir.
1297c478bd9Sstevel@tonic-gate 		 */
1307c478bd9Sstevel@tonic-gate 		for (p = prefix; p->dir; p++) {
1317c478bd9Sstevel@tonic-gate 			if (strncmp(p->dir, path, p->dirlen) == 0) {
1327c478bd9Sstevel@tonic-gate 				systemdir = 1;
1337c478bd9Sstevel@tonic-gate 				break;
1347c478bd9Sstevel@tonic-gate 			}
1357c478bd9Sstevel@tonic-gate 		}
1367c478bd9Sstevel@tonic-gate 	}
1377c478bd9Sstevel@tonic-gate 
1387c478bd9Sstevel@tonic-gate 	/*
1397c478bd9Sstevel@tonic-gate 	 * If the owner is root or bin, set trust_owner.
1407c478bd9Sstevel@tonic-gate 	 */
1417c478bd9Sstevel@tonic-gate 	if (statbuf->st_uid == 0 || statbuf->st_uid == 2) {
1427c478bd9Sstevel@tonic-gate 		trust_owner = 1;
1437c478bd9Sstevel@tonic-gate 	}
1447c478bd9Sstevel@tonic-gate 	/*
1457c478bd9Sstevel@tonic-gate 	 * If the file is neither other-writable nor group-writable by
1467c478bd9Sstevel@tonic-gate 	 * non-bin and non-root system group, set trust_group.
1477c478bd9Sstevel@tonic-gate 	 */
1487c478bd9Sstevel@tonic-gate 	if ((statbuf->st_mode & (S_IWOTH)) == 0 &&
1497c478bd9Sstevel@tonic-gate 	    ((statbuf->st_mode & (S_IWGRP)) == 0 ||
1507257d1b4Sraf 	    (statbuf->st_gid < 4 && statbuf->st_gid != 1))) {
1517c478bd9Sstevel@tonic-gate 		trust_group = 1;
1527c478bd9Sstevel@tonic-gate 	}
1537c478bd9Sstevel@tonic-gate 
1547c478bd9Sstevel@tonic-gate 	/*
1557c478bd9Sstevel@tonic-gate 	 * Even if UNSAFE_F has been specified and unsafe-NLSPATH
1567c478bd9Sstevel@tonic-gate 	 * has been set, trust the file as long as it belongs to
1577c478bd9Sstevel@tonic-gate 	 * the trusted system directory.
1587c478bd9Sstevel@tonic-gate 	 */
1597c478bd9Sstevel@tonic-gate 	if (!*trust && systemdir) {
1607c478bd9Sstevel@tonic-gate 		*trust = 1;
1617c478bd9Sstevel@tonic-gate 	}
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate 	/*
1647c478bd9Sstevel@tonic-gate 	 * If:
1657c478bd9Sstevel@tonic-gate 	 *	file is not a full pathname,
1667c478bd9Sstevel@tonic-gate 	 * or
1677c478bd9Sstevel@tonic-gate 	 *	neither trust_owner nor trust_path is set,
1687c478bd9Sstevel@tonic-gate 	 * or
1697c478bd9Sstevel@tonic-gate 	 *	trust_group is not set,
1707c478bd9Sstevel@tonic-gate 	 * untrust it.
1717c478bd9Sstevel@tonic-gate 	 */
1727c478bd9Sstevel@tonic-gate 	if (*trust &&
1737c478bd9Sstevel@tonic-gate 	    (!abs_path || (!trust_owner && !trust_path) || !trust_group)) {
1747c478bd9Sstevel@tonic-gate 		*trust = 0;
1757c478bd9Sstevel@tonic-gate 	}
1767c478bd9Sstevel@tonic-gate 
1777c478bd9Sstevel@tonic-gate 	/*
1787c478bd9Sstevel@tonic-gate 	 * If set[ug]id process, open for the untrusted file should fail.
1797c478bd9Sstevel@tonic-gate 	 * Otherwise, the message extracted from the untrusted file
1807c478bd9Sstevel@tonic-gate 	 * will have to be checked by check_format().
1817c478bd9Sstevel@tonic-gate 	 */
1827c478bd9Sstevel@tonic-gate 	if (issetugid()) {
1837c478bd9Sstevel@tonic-gate 		if (!*trust) {
1847c478bd9Sstevel@tonic-gate 			/*
1857c478bd9Sstevel@tonic-gate 			 * Open should fail
1867c478bd9Sstevel@tonic-gate 			 */
1877c478bd9Sstevel@tonic-gate 			(void) close(fd);
1887c478bd9Sstevel@tonic-gate 			return (-1);
1897c478bd9Sstevel@tonic-gate 		}
1907c478bd9Sstevel@tonic-gate 
1917c478bd9Sstevel@tonic-gate 		/*
1927c478bd9Sstevel@tonic-gate 		 * if the path does not belong to the trusted system directory
1937c478bd9Sstevel@tonic-gate 		 * or if the owner is neither root nor bin, untrust it.
1947c478bd9Sstevel@tonic-gate 		 */
1957c478bd9Sstevel@tonic-gate 		if (!systemdir || !trust_owner) {
1967c478bd9Sstevel@tonic-gate 			*trust = 0;
1977c478bd9Sstevel@tonic-gate 		}
1987c478bd9Sstevel@tonic-gate 	}
1997c478bd9Sstevel@tonic-gate 
2007c478bd9Sstevel@tonic-gate 	return (fd);
2017c478bd9Sstevel@tonic-gate }
2027c478bd9Sstevel@tonic-gate 
2037c478bd9Sstevel@tonic-gate /*
2047c478bd9Sstevel@tonic-gate  * Extract a format into a normalized format string.
2057c478bd9Sstevel@tonic-gate  * Returns the number of arguments converted, -1 on error.
2067c478bd9Sstevel@tonic-gate  * The string norm should contain 2N bytes; an upperbound is the
2077c478bd9Sstevel@tonic-gate  * length of the format string.
2087c478bd9Sstevel@tonic-gate  * The canonical format consists of two chars: one is the conversion
2097c478bd9Sstevel@tonic-gate  * character (s, c, d, x, etc), the second one is the option flag.
2107c478bd9Sstevel@tonic-gate  * L, ll, l, w as defined below.
2117c478bd9Sstevel@tonic-gate  * A special conversion character, '*', indicates that the argument
2127c478bd9Sstevel@tonic-gate  * is used as a precision specifier.
2137c478bd9Sstevel@tonic-gate  */
2147c478bd9Sstevel@tonic-gate 
2157c478bd9Sstevel@tonic-gate #define	OPT_L		0x01
2167c478bd9Sstevel@tonic-gate #define	OPT_l		0x02
2177c478bd9Sstevel@tonic-gate #define	OPT_ll		0x04
2187c478bd9Sstevel@tonic-gate #define	OPT_w		0x08
2197c478bd9Sstevel@tonic-gate #define	OPT_h		0x10
2207c478bd9Sstevel@tonic-gate #define	OPT_hh		0x20
2217c478bd9Sstevel@tonic-gate #define	OPT_j		0x40
2227c478bd9Sstevel@tonic-gate 
2237c478bd9Sstevel@tonic-gate /* Number of bytes per canonical format entry */
2247c478bd9Sstevel@tonic-gate #define	FORMAT_SIZE	2
2257c478bd9Sstevel@tonic-gate 
2267c478bd9Sstevel@tonic-gate /*
2277c478bd9Sstevel@tonic-gate  * Check and store the argument; allow each argument to be used only as
2287c478bd9Sstevel@tonic-gate  * one type even though printf allows multiple uses.  The specification only
2297c478bd9Sstevel@tonic-gate  * allows one use, but we don't want to break existing functional code,
2307c478bd9Sstevel@tonic-gate  * even if it's buggy.
2317c478bd9Sstevel@tonic-gate  */
2327c478bd9Sstevel@tonic-gate #define	STORE(buf, size, arg, val) 	if (arg * FORMAT_SIZE + 1 >= size ||\
2337c478bd9Sstevel@tonic-gate 					    (strict ? \
2347c478bd9Sstevel@tonic-gate 					    (buf[arg*FORMAT_SIZE] != '\0' && \
2357c478bd9Sstevel@tonic-gate 					    buf[arg*FORMAT_SIZE] != val) \
2367c478bd9Sstevel@tonic-gate 						: \
2377c478bd9Sstevel@tonic-gate 					    (buf[arg*FORMAT_SIZE] == 'n'))) \
2387c478bd9Sstevel@tonic-gate 						return (-1); \
2397c478bd9Sstevel@tonic-gate 					else {\
2407c478bd9Sstevel@tonic-gate 						if (arg >= maxarg) \
2417c478bd9Sstevel@tonic-gate 							maxarg = arg + 1; \
2427c478bd9Sstevel@tonic-gate 						narg++; \
2437c478bd9Sstevel@tonic-gate 						buf[arg*FORMAT_SIZE] = val; \
2447c478bd9Sstevel@tonic-gate 					}
2457c478bd9Sstevel@tonic-gate 
2467c478bd9Sstevel@tonic-gate /*
2477c478bd9Sstevel@tonic-gate  * This function extracts sprintf format into a canonical
2487c478bd9Sstevel@tonic-gate  * sprintf form.  It's not as easy as just removing everything
2497c478bd9Sstevel@tonic-gate  * that isn't a format specifier, because of "%n$" specifiers.
2507c478bd9Sstevel@tonic-gate  * Ideally, this should be compatible with printf and not
2517c478bd9Sstevel@tonic-gate  * fail on bad formats.
2527c478bd9Sstevel@tonic-gate  * However, that makes writing a proper check_format that
2537c478bd9Sstevel@tonic-gate  * doesn't cause crashes a lot harder.
2547c478bd9Sstevel@tonic-gate  */
2557c478bd9Sstevel@tonic-gate 
2567c478bd9Sstevel@tonic-gate static int
2577c478bd9Sstevel@tonic-gate extract_format(const char *fmt, char *norm, size_t sz, int strict)
2587c478bd9Sstevel@tonic-gate {
2597c478bd9Sstevel@tonic-gate 	int narg = 0;
2607c478bd9Sstevel@tonic-gate 	int t, arg, argp;
2617c478bd9Sstevel@tonic-gate 	int dotseen;
2627c478bd9Sstevel@tonic-gate 	char flag;
2637c478bd9Sstevel@tonic-gate 	char conv;
2647c478bd9Sstevel@tonic-gate 	int lastarg = -1;
2657c478bd9Sstevel@tonic-gate 	int prevarg;
2667c478bd9Sstevel@tonic-gate 	int maxarg = 0;		/* Highest index seen + 1 */
2677c478bd9Sstevel@tonic-gate 	int lflag;
2687c478bd9Sstevel@tonic-gate 
2697c478bd9Sstevel@tonic-gate 	(void) memset(norm, '\0', sz);
2707c478bd9Sstevel@tonic-gate 
2717c478bd9Sstevel@tonic-gate #ifdef DEBUG
2727c478bd9Sstevel@tonic-gate 	printf("Format \"%s\" canonical form: ", fmt);
2737c478bd9Sstevel@tonic-gate #endif
2747c478bd9Sstevel@tonic-gate 
2757c478bd9Sstevel@tonic-gate 	for (; *fmt; fmt++) {
2767c478bd9Sstevel@tonic-gate 		if (*fmt == '%') {
2777c478bd9Sstevel@tonic-gate 			if (*++fmt == '%')
2787c478bd9Sstevel@tonic-gate 				continue;
2797c478bd9Sstevel@tonic-gate 
2807c478bd9Sstevel@tonic-gate 			if (*fmt == '\0')
2817c478bd9Sstevel@tonic-gate 				break;
2827c478bd9Sstevel@tonic-gate 
2837c478bd9Sstevel@tonic-gate 			prevarg = lastarg;
2847c478bd9Sstevel@tonic-gate 			arg = ++lastarg;
2857c478bd9Sstevel@tonic-gate 
2867c478bd9Sstevel@tonic-gate 			t = 0;
2877c478bd9Sstevel@tonic-gate 			while (*fmt && isdigit(*fmt))
2887c478bd9Sstevel@tonic-gate 				t = t * 10 + *fmt++ - '0';
2897c478bd9Sstevel@tonic-gate 
2907c478bd9Sstevel@tonic-gate 			if (*fmt == '$') {
2917c478bd9Sstevel@tonic-gate 				lastarg = arg = t - 1;
2927c478bd9Sstevel@tonic-gate 				fmt++;
2937c478bd9Sstevel@tonic-gate 			}
2947c478bd9Sstevel@tonic-gate 
2957c478bd9Sstevel@tonic-gate 			if (*fmt == '\0')
2967c478bd9Sstevel@tonic-gate 				goto end;
2977c478bd9Sstevel@tonic-gate 
2987c478bd9Sstevel@tonic-gate 			dotseen = 0;
2997c478bd9Sstevel@tonic-gate 			flag = 0;
3007c478bd9Sstevel@tonic-gate 			lflag = 0;
3017c478bd9Sstevel@tonic-gate again:
3027c478bd9Sstevel@tonic-gate 			/* Skip flags */
3037c478bd9Sstevel@tonic-gate 			while (*fmt) {
3047c478bd9Sstevel@tonic-gate 				switch (*fmt) {
3057c478bd9Sstevel@tonic-gate 				case '\'':
3067c478bd9Sstevel@tonic-gate 				case '+':
3077c478bd9Sstevel@tonic-gate 				case '-':
3087c478bd9Sstevel@tonic-gate 				case ' ':
3097c478bd9Sstevel@tonic-gate 				case '#':
3107c478bd9Sstevel@tonic-gate 				case '0':
3117c478bd9Sstevel@tonic-gate 					fmt++;
3127c478bd9Sstevel@tonic-gate 					continue;
3137c478bd9Sstevel@tonic-gate 				}
3147c478bd9Sstevel@tonic-gate 				break;
3157c478bd9Sstevel@tonic-gate 			}
3167c478bd9Sstevel@tonic-gate 
3177c478bd9Sstevel@tonic-gate 			while (*fmt && isdigit(*fmt))
3187c478bd9Sstevel@tonic-gate 				fmt++;
3197c478bd9Sstevel@tonic-gate 
3207c478bd9Sstevel@tonic-gate 			if (*fmt == '*') {
3217c478bd9Sstevel@tonic-gate 				if (isdigit(fmt[1])) {
3227c478bd9Sstevel@tonic-gate 					fmt++;
3237c478bd9Sstevel@tonic-gate 					t = 0;
3247c478bd9Sstevel@tonic-gate 					while (*fmt && isdigit(*fmt))
3257c478bd9Sstevel@tonic-gate 						t = t * 10 + *fmt++ - '0';
3267c478bd9Sstevel@tonic-gate 
3277c478bd9Sstevel@tonic-gate 					if (*fmt == '$') {
3287c478bd9Sstevel@tonic-gate 						argp = t - 1;
3297c478bd9Sstevel@tonic-gate 						STORE(norm, sz, argp, '*');
3307c478bd9Sstevel@tonic-gate 					}
3317c478bd9Sstevel@tonic-gate 					/*
3327c478bd9Sstevel@tonic-gate 					 * If digits follow a '*', it is
3337c478bd9Sstevel@tonic-gate 					 * not loaded as an argument, the
3347c478bd9Sstevel@tonic-gate 					 * digits are used instead.
3357c478bd9Sstevel@tonic-gate 					 */
3367c478bd9Sstevel@tonic-gate 				} else {
3377c478bd9Sstevel@tonic-gate 					/*
3387c478bd9Sstevel@tonic-gate 					 * Weird as it may seem, if we
3397c478bd9Sstevel@tonic-gate 					 * use an numbered argument, we
3407c478bd9Sstevel@tonic-gate 					 * get the next one if we have
3417c478bd9Sstevel@tonic-gate 					 * an unnumbered '*'
3427c478bd9Sstevel@tonic-gate 					 */
3437c478bd9Sstevel@tonic-gate 					if (fmt[1] == '$')
3447c478bd9Sstevel@tonic-gate 						fmt++;
3457c478bd9Sstevel@tonic-gate 					else {
3467c478bd9Sstevel@tonic-gate 						argp = arg;
3477c478bd9Sstevel@tonic-gate 						prevarg = arg;
3487c478bd9Sstevel@tonic-gate 						lastarg = ++arg;
3497c478bd9Sstevel@tonic-gate 						STORE(norm, sz, argp, '*');
3507c478bd9Sstevel@tonic-gate 					}
3517c478bd9Sstevel@tonic-gate 				}
3527c478bd9Sstevel@tonic-gate 				fmt++;
3537c478bd9Sstevel@tonic-gate 			}
3547c478bd9Sstevel@tonic-gate 
3557c478bd9Sstevel@tonic-gate 			/* Fail on two or more dots if we do strict checking */
3567c478bd9Sstevel@tonic-gate 			if (*fmt == '.' || *fmt == '*') {
3577c478bd9Sstevel@tonic-gate 				if (dotseen && strict)
3587c478bd9Sstevel@tonic-gate 					return (-1);
3597c478bd9Sstevel@tonic-gate 				dotseen = 1;
3607c478bd9Sstevel@tonic-gate 				fmt++;
3617c478bd9Sstevel@tonic-gate 				goto again;
3627c478bd9Sstevel@tonic-gate 			}
3637c478bd9Sstevel@tonic-gate 
3647c478bd9Sstevel@tonic-gate 			if (*fmt == '\0')
3657c478bd9Sstevel@tonic-gate 				goto end;
3667c478bd9Sstevel@tonic-gate 
3677c478bd9Sstevel@tonic-gate 			while (*fmt) {
3687c478bd9Sstevel@tonic-gate 				switch (*fmt) {
3697c478bd9Sstevel@tonic-gate 				case 'l':
3707c478bd9Sstevel@tonic-gate 					if (!(flag & OPT_ll)) {
3717c478bd9Sstevel@tonic-gate 						if (lflag) {
3727c478bd9Sstevel@tonic-gate 							flag &= ~OPT_l;
3737c478bd9Sstevel@tonic-gate 							flag |= OPT_ll;
3747c478bd9Sstevel@tonic-gate 						} else {
3757c478bd9Sstevel@tonic-gate 							flag |= OPT_l;
3767c478bd9Sstevel@tonic-gate 						}
3777c478bd9Sstevel@tonic-gate 					}
3787c478bd9Sstevel@tonic-gate 					lflag++;
3797c478bd9Sstevel@tonic-gate 					break;
3807c478bd9Sstevel@tonic-gate 				case 'L':
3817c478bd9Sstevel@tonic-gate 					flag |= OPT_L;
3827c478bd9Sstevel@tonic-gate 					break;
3837c478bd9Sstevel@tonic-gate 				case 'w':
3847c478bd9Sstevel@tonic-gate 					flag |= OPT_w;
3857c478bd9Sstevel@tonic-gate 					break;
3867c478bd9Sstevel@tonic-gate 				case 'h':
3877c478bd9Sstevel@tonic-gate 					if (flag & (OPT_h|OPT_hh))
3887c478bd9Sstevel@tonic-gate 						flag |= OPT_hh;
3897c478bd9Sstevel@tonic-gate 					else
3907c478bd9Sstevel@tonic-gate 						flag |= OPT_h;
3917c478bd9Sstevel@tonic-gate 					break;
3927c478bd9Sstevel@tonic-gate 				case 'j':
3937c478bd9Sstevel@tonic-gate 					flag |= OPT_j;
3947c478bd9Sstevel@tonic-gate 					break;
3957c478bd9Sstevel@tonic-gate 				case 'z':
3967c478bd9Sstevel@tonic-gate 				case 't':
3977c478bd9Sstevel@tonic-gate 					if (!(flag & OPT_ll)) {
3987c478bd9Sstevel@tonic-gate 						flag |= OPT_l;
3997c478bd9Sstevel@tonic-gate 					}
4007c478bd9Sstevel@tonic-gate 					break;
4017c478bd9Sstevel@tonic-gate 				case '\'':
4027c478bd9Sstevel@tonic-gate 				case '+':
4037c478bd9Sstevel@tonic-gate 				case '-':
4047c478bd9Sstevel@tonic-gate 				case ' ':
4057c478bd9Sstevel@tonic-gate 				case '#':
4067c478bd9Sstevel@tonic-gate 				case '.':
4077c478bd9Sstevel@tonic-gate 				case '*':
4087c478bd9Sstevel@tonic-gate 					goto again;
4097c478bd9Sstevel@tonic-gate 				default:
4107c478bd9Sstevel@tonic-gate 					if (isdigit(*fmt))
4117c478bd9Sstevel@tonic-gate 						goto again;
4127c478bd9Sstevel@tonic-gate 					else
4137c478bd9Sstevel@tonic-gate 						goto done;
4147c478bd9Sstevel@tonic-gate 				}
4157c478bd9Sstevel@tonic-gate 				fmt++;
4167c478bd9Sstevel@tonic-gate 			}
4177c478bd9Sstevel@tonic-gate done:
4187c478bd9Sstevel@tonic-gate 			if (*fmt == '\0')
4197c478bd9Sstevel@tonic-gate 				goto end;
4207c478bd9Sstevel@tonic-gate 
4217c478bd9Sstevel@tonic-gate 			switch (*fmt) {
4227c478bd9Sstevel@tonic-gate 			case 'C':
4237c478bd9Sstevel@tonic-gate 				flag |= OPT_l;
4247c478bd9Sstevel@tonic-gate 				/* FALLTHROUGH */
4257c478bd9Sstevel@tonic-gate 			case 'd':
4267c478bd9Sstevel@tonic-gate 			case 'i':
4277c478bd9Sstevel@tonic-gate 			case 'o':
4287c478bd9Sstevel@tonic-gate 			case 'u':
4297c478bd9Sstevel@tonic-gate 			case 'c':
4307c478bd9Sstevel@tonic-gate 			case 'x':
4317c478bd9Sstevel@tonic-gate 			case 'X':
4327c478bd9Sstevel@tonic-gate 				conv = 'I';
4337c478bd9Sstevel@tonic-gate 				break;
4347c478bd9Sstevel@tonic-gate 			case 'e':
4357c478bd9Sstevel@tonic-gate 			case 'E':
4367c478bd9Sstevel@tonic-gate 			case 'f':
4377c478bd9Sstevel@tonic-gate 			case 'F':
4387c478bd9Sstevel@tonic-gate 			case 'a':
4397c478bd9Sstevel@tonic-gate 			case 'A':
4407c478bd9Sstevel@tonic-gate 			case 'g':
4417c478bd9Sstevel@tonic-gate 			case 'G':
4427c478bd9Sstevel@tonic-gate 				conv = 'D';
4437c478bd9Sstevel@tonic-gate 				break;
4447c478bd9Sstevel@tonic-gate 			case 'S':
4457c478bd9Sstevel@tonic-gate 				flag |= OPT_l;
4467c478bd9Sstevel@tonic-gate 				/* FALLTHROUGH */
4477c478bd9Sstevel@tonic-gate 			case 's':
4487c478bd9Sstevel@tonic-gate 				conv = 's';
4497c478bd9Sstevel@tonic-gate 				break;
4507c478bd9Sstevel@tonic-gate 			case 'p':
4517c478bd9Sstevel@tonic-gate 			case 'n':
4527c478bd9Sstevel@tonic-gate 				conv = *fmt;
4537c478bd9Sstevel@tonic-gate 				break;
4547c478bd9Sstevel@tonic-gate 			default:
4557c478bd9Sstevel@tonic-gate 				lastarg = prevarg;
4567c478bd9Sstevel@tonic-gate 				continue;
4577c478bd9Sstevel@tonic-gate 			}
4587c478bd9Sstevel@tonic-gate 
4597c478bd9Sstevel@tonic-gate 			STORE(norm, sz, arg, conv);
4607c478bd9Sstevel@tonic-gate 			norm[arg*FORMAT_SIZE + 1] = flag;
4617c478bd9Sstevel@tonic-gate 		}
4627c478bd9Sstevel@tonic-gate 	}
4637c478bd9Sstevel@tonic-gate #ifdef DEBUG
4647c478bd9Sstevel@tonic-gate 	for (t = 0; t < maxarg * FORMAT_SIZE; t += FORMAT_SIZE) {
4657257d1b4Sraf 		printf("%c(%d)", norm[t], norm[t+1]);
4667c478bd9Sstevel@tonic-gate 	}
4677c478bd9Sstevel@tonic-gate 	putchar('\n');
4687c478bd9Sstevel@tonic-gate #endif
4697c478bd9Sstevel@tonic-gate end:
4707c478bd9Sstevel@tonic-gate 	if (strict)
4717c478bd9Sstevel@tonic-gate 		for (arg = 0; arg < maxarg; arg++)
4727c478bd9Sstevel@tonic-gate 			if (norm[arg*FORMAT_SIZE] == '\0')
4737c478bd9Sstevel@tonic-gate 				return (-1);
4747c478bd9Sstevel@tonic-gate 
4757c478bd9Sstevel@tonic-gate 	return (maxarg);
4767c478bd9Sstevel@tonic-gate }
4777c478bd9Sstevel@tonic-gate 
4787c478bd9Sstevel@tonic-gate char *
4797c478bd9Sstevel@tonic-gate check_format(const char *org, const char *new, int strict)
4807c478bd9Sstevel@tonic-gate {
4817c478bd9Sstevel@tonic-gate 	char *ofmt, *nfmt, *torg;
4827c478bd9Sstevel@tonic-gate 	size_t osz, nsz;
4837c478bd9Sstevel@tonic-gate 	int olen, nlen;
4847c478bd9Sstevel@tonic-gate 
4857c478bd9Sstevel@tonic-gate 	if (!org) {
4867c478bd9Sstevel@tonic-gate 		/*
4877c478bd9Sstevel@tonic-gate 		 * Default message is NULL.
4887c478bd9Sstevel@tonic-gate 		 * dtmail uses NULL for default message.
4897c478bd9Sstevel@tonic-gate 		 */
4907c478bd9Sstevel@tonic-gate 		torg = "(NULL)";
4917c478bd9Sstevel@tonic-gate 	} else {
4927c478bd9Sstevel@tonic-gate 		torg = (char *)org;
4937c478bd9Sstevel@tonic-gate 	}
4947c478bd9Sstevel@tonic-gate 
4957c478bd9Sstevel@tonic-gate 	/* Short cut */
4967c478bd9Sstevel@tonic-gate 	if (org == new || strcmp(torg, new) == 0 ||
4977c478bd9Sstevel@tonic-gate 	    strchr(new, '%') == NULL)
4987c478bd9Sstevel@tonic-gate 		return ((char *)new);
4997c478bd9Sstevel@tonic-gate 
5007c478bd9Sstevel@tonic-gate 	osz = strlen(torg) * FORMAT_SIZE;
5017c478bd9Sstevel@tonic-gate 	ofmt = malloc(osz);
5027c478bd9Sstevel@tonic-gate 	if (ofmt == NULL)
5037c478bd9Sstevel@tonic-gate 		return ((char *)org);
5047c478bd9Sstevel@tonic-gate 
5057c478bd9Sstevel@tonic-gate 	olen = extract_format(torg, ofmt, osz, 0);
5067c478bd9Sstevel@tonic-gate 
5077c478bd9Sstevel@tonic-gate 	if (olen == -1)
5087c478bd9Sstevel@tonic-gate 		syslog(LOG_AUTH|LOG_INFO,
5097c478bd9Sstevel@tonic-gate 		    "invalid format in gettext argument: \"%s\"", torg);
5107c478bd9Sstevel@tonic-gate 
5117c478bd9Sstevel@tonic-gate 	nsz = strlen(new) * FORMAT_SIZE;
5127c478bd9Sstevel@tonic-gate 	nfmt = malloc(nsz);
5137c478bd9Sstevel@tonic-gate 	if (nfmt == NULL) {
5147c478bd9Sstevel@tonic-gate 		free(ofmt);
5157c478bd9Sstevel@tonic-gate 		return ((char *)org);
5167c478bd9Sstevel@tonic-gate 	}
5177c478bd9Sstevel@tonic-gate 
5187c478bd9Sstevel@tonic-gate 	nlen = extract_format(new, nfmt, nsz, strict);
5197c478bd9Sstevel@tonic-gate 
5207c478bd9Sstevel@tonic-gate 	if (nlen == -1) {
5217c478bd9Sstevel@tonic-gate 		free(ofmt);
5227c478bd9Sstevel@tonic-gate 		free(nfmt);
5237c478bd9Sstevel@tonic-gate 		syslog(LOG_AUTH|LOG_NOTICE,
5247c478bd9Sstevel@tonic-gate 		    "invalid format in message file \"%.100s\" -> \"%s\"",
5257c478bd9Sstevel@tonic-gate 		    torg, new);
5267c478bd9Sstevel@tonic-gate 		errno = EBADMSG;
5277c478bd9Sstevel@tonic-gate 		return ((char *)org);
5287c478bd9Sstevel@tonic-gate 	}
5297c478bd9Sstevel@tonic-gate 
5307c478bd9Sstevel@tonic-gate 	if (strict && (olen != nlen || olen == -1)) {
5317c478bd9Sstevel@tonic-gate 		free(ofmt);
5327c478bd9Sstevel@tonic-gate 		free(nfmt);
5337c478bd9Sstevel@tonic-gate 		syslog(LOG_AUTH|LOG_NOTICE,
5347c478bd9Sstevel@tonic-gate 		    "incompatible format in message file: \"%.100s\" != \"%s\"",
5357c478bd9Sstevel@tonic-gate 		    torg, new);
5367c478bd9Sstevel@tonic-gate 		errno = EBADMSG;
5377c478bd9Sstevel@tonic-gate 		return ((char *)org);
5387c478bd9Sstevel@tonic-gate 	}
5397c478bd9Sstevel@tonic-gate 
5407c478bd9Sstevel@tonic-gate 	if (strict && memcmp(ofmt, nfmt, nlen * FORMAT_SIZE) == 0) {
5417c478bd9Sstevel@tonic-gate 		free(ofmt);
5427c478bd9Sstevel@tonic-gate 		free(nfmt);
5437c478bd9Sstevel@tonic-gate 		return ((char *)new);
5447c478bd9Sstevel@tonic-gate 	} else {
5457c478bd9Sstevel@tonic-gate 		if (!strict) {
5467c478bd9Sstevel@tonic-gate 			char *n;
5477c478bd9Sstevel@tonic-gate 
5487c478bd9Sstevel@tonic-gate 			nlen *= FORMAT_SIZE;
5497c478bd9Sstevel@tonic-gate 
5507c478bd9Sstevel@tonic-gate 			for (n = nfmt; n = memchr(n, 'n', nfmt + nlen - n);
5517c478bd9Sstevel@tonic-gate 			    n++) {
5527c478bd9Sstevel@tonic-gate 				int off = (n - nfmt);
5537c478bd9Sstevel@tonic-gate 
5547c478bd9Sstevel@tonic-gate 				if (off >= olen * FORMAT_SIZE ||
5557c478bd9Sstevel@tonic-gate 				    ofmt[off] != 'n' ||
5567c478bd9Sstevel@tonic-gate 				    ofmt[off+1] != nfmt[off+1]) {
5577c478bd9Sstevel@tonic-gate 					free(ofmt);
5587c478bd9Sstevel@tonic-gate 					free(nfmt);
5597c478bd9Sstevel@tonic-gate 					syslog(LOG_AUTH|LOG_NOTICE,
5607c478bd9Sstevel@tonic-gate 					    "dangerous format in message file: "
5617c478bd9Sstevel@tonic-gate 					    "\"%.100s\" -> \"%s\"", torg, new);
5627c478bd9Sstevel@tonic-gate 					errno = EBADMSG;
5637c478bd9Sstevel@tonic-gate 					return ((char *)org);
5647c478bd9Sstevel@tonic-gate 				}
5657c478bd9Sstevel@tonic-gate 			}
5667c478bd9Sstevel@tonic-gate 			free(ofmt);
5677c478bd9Sstevel@tonic-gate 			free(nfmt);
5687c478bd9Sstevel@tonic-gate 			return ((char *)new);
5697c478bd9Sstevel@tonic-gate 		}
5707c478bd9Sstevel@tonic-gate 		free(ofmt);
5717c478bd9Sstevel@tonic-gate 		free(nfmt);
5727c478bd9Sstevel@tonic-gate 		syslog(LOG_AUTH|LOG_NOTICE,
5737c478bd9Sstevel@tonic-gate 		    "incompatible format in message file \"%.100s\" != \"%s\"",
5747c478bd9Sstevel@tonic-gate 		    torg, new);
5757c478bd9Sstevel@tonic-gate 		errno = EBADMSG;
5767c478bd9Sstevel@tonic-gate 		return ((char *)org);
5777c478bd9Sstevel@tonic-gate 	}
5787c478bd9Sstevel@tonic-gate }
5797c478bd9Sstevel@tonic-gate 
5807c478bd9Sstevel@tonic-gate /*
5817c478bd9Sstevel@tonic-gate  * s1 is either name, or name=value
5827c478bd9Sstevel@tonic-gate  * s2 is name=value
5837c478bd9Sstevel@tonic-gate  * if names match, return value of s2, else NULL
5847c478bd9Sstevel@tonic-gate  * used for environment searching: see getenv
5857c478bd9Sstevel@tonic-gate  */
5867c478bd9Sstevel@tonic-gate const char *
5877c478bd9Sstevel@tonic-gate nvmatch(const char *s1, const char *s2)
5887c478bd9Sstevel@tonic-gate {
5897c478bd9Sstevel@tonic-gate 	while (*s1 == *s2++)
5907c478bd9Sstevel@tonic-gate 		if (*s1++ == '=')
5917c478bd9Sstevel@tonic-gate 			return (s2);
5927c478bd9Sstevel@tonic-gate 	if (*s1 == '\0' && *(s2-1) == '=')
5937c478bd9Sstevel@tonic-gate 		return (s2);
5947c478bd9Sstevel@tonic-gate 	return (NULL);
5957c478bd9Sstevel@tonic-gate }
5967c478bd9Sstevel@tonic-gate 
5977c478bd9Sstevel@tonic-gate /*
5987c478bd9Sstevel@tonic-gate  * Handle NLSPATH environment variables in the environment.
5997c478bd9Sstevel@tonic-gate  * This routine is hooked into getenv/putenv at first call.
6007c478bd9Sstevel@tonic-gate  *
6017c478bd9Sstevel@tonic-gate  * The intention is to ignore NLSPATH in set-uid applications,
6027c478bd9Sstevel@tonic-gate  * and determine whether the NLSPATH in an application was set
6037c478bd9Sstevel@tonic-gate  * by the applications or derived from the user's environment.
6047c478bd9Sstevel@tonic-gate  */
6057c478bd9Sstevel@tonic-gate 
6067c478bd9Sstevel@tonic-gate void
6077c478bd9Sstevel@tonic-gate clean_env(void)
6087c478bd9Sstevel@tonic-gate {
6097c478bd9Sstevel@tonic-gate 	const char **p;
6107c478bd9Sstevel@tonic-gate 
61159f081edSraf 	if (_environ == NULL) {
61259f081edSraf 		/* can happen when processing a SunOS 4.x AOUT file */
6137257d1b4Sraf 		nlspath_safe = 1;
6147257d1b4Sraf 		return;
6157257d1b4Sraf 	}
6167257d1b4Sraf 
6177c478bd9Sstevel@tonic-gate 	/* Find the first NLSPATH occurrence */
61859f081edSraf 	for (p = _environ; *p; p++)
6197c478bd9Sstevel@tonic-gate 		if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL)
6207c478bd9Sstevel@tonic-gate 			break;
6217c478bd9Sstevel@tonic-gate 
6227c478bd9Sstevel@tonic-gate 	if (!*p)				/* None found, we're safe */
6237c478bd9Sstevel@tonic-gate 		nlspath_safe = 1;
6247c478bd9Sstevel@tonic-gate 	else if (issetugid()) {			/* Found and set-uid, clean */
6257c478bd9Sstevel@tonic-gate 		int off = 1;
6267c478bd9Sstevel@tonic-gate 
627*9a67df4bSToomas Soome 		for (p++; (p[-off] = p[0]) != NULL; p++)
6287c478bd9Sstevel@tonic-gate 			if (**p == 'N' && nvmatch("NLSPATH", *p) != NULL)
6297c478bd9Sstevel@tonic-gate 				off++;
6307c478bd9Sstevel@tonic-gate 
6317c478bd9Sstevel@tonic-gate 		nlspath_safe = 1;
6327c478bd9Sstevel@tonic-gate 	}
6337c478bd9Sstevel@tonic-gate }
634