From ab3262712e2c744a789a3c0bd9994d5d83c98d92 Mon Sep 17 00:00:00 2001 From: Tristan Olive Date: Tue, 22 Sep 2015 16:36:28 -0400 Subject: [PATCH] Wrapper: Verify that executables are in the "app_files" list Prevent bypassing of the code signing mechanism by ensuring that only files defined in the application version are executed. For new clients, this is checked in the APP_INIT_DATA structure. For compatibility with old clients, the client_state.xml file is read and parsed if the APP_INIT_DATA structure does not contain a list of files --- samples/wrapper/wrapper.cpp | 46 +++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/samples/wrapper/wrapper.cpp b/samples/wrapper/wrapper.cpp index 7c06ad5fa9..7144b643c0 100644 --- a/samples/wrapper/wrapper.cpp +++ b/samples/wrapper/wrapper.cpp @@ -1087,6 +1087,52 @@ int main(int argc, char** argv) { // for (i=0; i app_files; + // Get app name, version, and files from XML + while (!xp.get_tag()) { + if (xp.match_tag("/app_version")) break; + if (xp.parse_str("app_name", app_name, sizeof(app_name))) continue; + if (xp.parse_int("version_num", version_num)) continue; + if (xp.match_tag("file_ref")) { + while (!xp.get_tag()) { + char file_name[256]; + if (xp.match_tag("/file_ref")) break; + if (xp.parse_str("file_name", file_name, sizeof(file_name))) { + app_files.push_back(file_name); + } + } + } + } + if ((strcmp(app_name, aid.app_name) == 0) && (version_num == aid.app_version)) { + // This is the current application; populate the + // app_files list + aid.app_files = app_files; + break; + } + } + } + } + } + if (std::find(aid.app_files.begin(), aid.app_files.end(), task.application) == aid.app_files.end()) { + // Don't run the application if not signed + fprintf(stderr, + "%s is not a signed application and will not be run", + task.application + ); + continue; + } if ((int)i