Wrapper: Verify that executables are in the "app_files" list

Prevent bypassing of the code signing mechanism by ensuring that only files defined in the application version are executed. For new clients, this is checked in the APP_INIT_DATA structure. For compatibility with old clients, the client_state.xml file is read and parsed if the APP_INIT_DATA structure does not contain a list of files
2015-09-22 16:36:28 -04:00 · 2015-09-22 16:36:28 -04:00 · ab3262712e
parent 3b7969b1fd
commit ab3262712e
1 changed files with 46 additions and 0 deletions
--- a/samples/wrapper/wrapper.cpp
+++ b/samples/wrapper/wrapper.cpp
@ -1087,6 +1087,52 @@ int main(int argc, char** argv) {
    //
    for (i=0; i<tasks.size(); i++) {
        TASK& task = tasks[i];
+        if (aid.app_files.size() == 0) {
+            // No app_files parsed from init_data.xml, look for signed apps in
+            // client_state.xml (for backwards compatibility with old clients)
+            FILE* f = fopen("client_state.xml", "r");
+            if (f) {
+                MIOFILE mf;
+                XML_PARSER xp(&mf);
+                mf.init_file(f);
+                while (!xp.get_tag()) {
+                    if (xp.match_tag("app_version")) {
+                        char app_name[256];
+                        int version_num;
+                        std::vector<std::string> app_files;
+                        // Get app name, version, and files from XML
+                        while (!xp.get_tag()) {
+                            if (xp.match_tag("/app_version")) break;
+                            if (xp.parse_str("app_name", app_name, sizeof(app_name))) continue;
+                            if (xp.parse_int("version_num", version_num)) continue;
+                            if (xp.match_tag("file_ref")) {
+                                while (!xp.get_tag()) {
+                                    char file_name[256];
+                                    if (xp.match_tag("/file_ref")) break;
+                                    if (xp.parse_str("file_name", file_name, sizeof(file_name))) {
+                                        app_files.push_back(file_name);
+                                    }
+                                }
+                            }
+                        }
+                        if ((strcmp(app_name, aid.app_name) == 0) && (version_num == aid.app_version)) {
+                            // This is the current application; populate the
+                            // app_files list
+                            aid.app_files = app_files;
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        if (std::find(aid.app_files.begin(), aid.app_files.end(), task.application) == aid.app_files.end()) {
+            // Don't run the application if not signed
+            fprintf(stderr,
+                "%s is not a signed application and will not be run",
+                task.application
+            );
+            continue;
+        }
        if ((int)i<ntasks_completed) {
            weight_completed += task.weight;
            continue;