From 091e9efed3f417bdd8bdee814d8676757ffb19db Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 2 Oct 2017 10:50:07 +0200
Subject: [PATCH] core: fix StateDirectory= (and friends) safety checks when
 decoding transient unit properties

Let's make sure relative directories such as "foo/bar" are accepted, by
using the same validation checks as in unit file parsing.
---
 src/core/dbus-execute.c    | 5 ++---
 src/core/load-fragment.c   | 6 +++---
 src/shared/bus-unit-util.c | 3 ++-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 40f6d9a3ffa..1a388f55921 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -2213,8 +2213,8 @@ int bus_exec_context_set_transient_property(
                         return r;
 
                 STRV_FOREACH(p, l) {
-                        if (!filename_is_valid(*p))
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s is not valid %s", name, *p);
+                        if (!path_is_safe(*p) || path_is_absolute(*p))
+                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s= path is not valid: %s", name, *p);
                 }
 
                 if (mode != UNIT_CHECK) {
@@ -2235,7 +2235,6 @@ int bus_exec_context_set_transient_property(
                                 unit_write_drop_in_private_format(u, mode, name, "%s=", name);
                         } else {
                                 r = strv_extend_strv(dirs, l, true);
-
                                 if (r < 0)
                                         return -ENOMEM;
 
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index d319934ee24..2c3783a9f0d 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3718,8 +3718,6 @@ int config_parse_exec_directories(
                 _cleanup_free_ char *word = NULL, *k = NULL;
 
                 r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
-                if (r == 0)
-                        return 0;
                 if (r == -ENOMEM)
                         return log_oom();
                 if (r < 0) {
@@ -3727,6 +3725,8 @@ int config_parse_exec_directories(
                                    "Invalid syntax, ignoring: %s", rvalue);
                         return 0;
                 }
+                if (r == 0)
+                        return 0;
 
                 r = unit_full_printf(u, word, &k);
                 if (r < 0) {
@@ -3737,7 +3737,7 @@ int config_parse_exec_directories(
 
                 if (!path_is_safe(k) || path_is_absolute(k)) {
                         log_syntax(unit, LOG_ERR, filename, line, 0,
-                                   "%s is not valid, ignoring assignment: %s", lvalue, rvalue);
+                                   "%s= path is not valid, ignoring assignment: %s", lvalue, rvalue);
                         continue;
                 }
 
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index d216df465f4..a08f17d8210 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -959,9 +959,10 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
                         _cleanup_free_ char *word = NULL;
 
                         r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES);
+                        if (r == -ENOMEM)
+                                return log_oom();
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse %s value %s", field, eq);
-
                         if (r == 0)
                                 break;
 
-- 
2.39.2