libmount: compose mount.<type> helpers paths more carefully

The [u]mount helper path is "/sbin/mount.<type>", the <type> should not
be possible to interpret like a path, for example:

  # mkdir /sbin/mount.fake
  # mount -t fake/../../../home/user/foo.sh

Anyway, this is *not mount(8) security issue*, because:

  - non-root users don't have permissions to specify -t on mount(8)
    command line
  - /sbin is not writable for regular users

This patch makes libmount more robust for situations when the library
is used by incompetent developers who don't sanitize user's input.

Reported-by: "Horsfall, Matthew" <mhorsfal@akamai.com>
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libmount/src/context.c b/libmount/src/context.c
index 014f0ee90d7aa3348548ae67ce78b673a4b29d29..0f8f112d4541dcf5d9d12e4ab4dda0b7c5dc883f 100644 (file)
--- a/libmount/src/context.c
+++ b/libmount/src/context.c
@@ -1624,6 +1624,7 @@ int mnt_context_prepare_helper(struct libmnt_context *cxt, const char *name,
        if (mnt_context_is_nohelpers(cxt)
            || !type
            || !strcmp(type, "none")
+           || strstr(type, "/..")              /* don't try to smuggle path */
            || mnt_fs_is_swaparea(cxt->fs))
                return 0;