[patch#3 5/8] set auto-load safe-path

[patch#3 5/8] set auto-load safe-path

[Jan Kratochvil]

Hi,

this configure parameter is intended for distros:

./configure --with-auto-load-safe-path=/usr:/bin:/sbin:/lib:/lib64

Some distros will add /opt.  There must not be directories like /home, /tmp.

In this patchset there is new add-auto-load-safe-path command.


Thanks,
Jan


gdb/
2012-03-29  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* NEWS: New commands "set auto-load safe-path"
	and "show auto-load safe-path".
	* auto-load.c: Include gdb_vecs.h and readline/tilde.h.
	(auto_load_safe_path, auto_load_safe_path_vec)
	(auto_load_safe_path_vec_update, set_auto_load_safe_path)
	(show_auto_load_safe_path, add_auto_load_safe_path, filename_is_in_dir)
	(filename_is_in_auto_load_safe_path_vec, file_is_auto_load_safe): New.
	(source_gdb_script_for_objfile): New variable is_safe.  Call
	file_is_auto_load_safe.  Return if it is not.
	(struct loaded_script): New field loaded.
	(maybe_add_script): Add parameter loaded.  Initialize SLOT with it.
	(print_script): Use LOADED indicator instead of FULL_PATH.  Change
	output "Missing" to "No".
	(_initialize_auto_load): Initialize auto_load_safe_path.  Register
	"set auto-load safe-path", "show auto-load safe-path"
	and "add-auto-load-safe-path".
	* auto-load.h (maybe_add_script): Add parameter loaded.
	(file_is_auto_load_safe): New declaration.
	* config.in: Regenerate.
	* configure: Regenerate.
	* configure.ac: New parameters --with-auto-load-safe-path
	and --without-auto-load-safe-path.
	* linux-thread-db.c (try_thread_db_load_from_pdir_1)
	(try_thread_db_load_from_dir): Check file_is_auto_load_safe first.
	* main.c (captured_main): Check file_is_auto_load_safe for
	LOCAL_GDBINIT.
	* python/py-auto-load.c (gdbpy_load_auto_script_for_objfile): New
	variable is_safe.  Call file_is_auto_load_safe.  Return if it is not.
	(source_section_scripts): Call file_is_auto_load_safe.  Return if it is
	not.

gdb/doc/
2012-03-29  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.texinfo (Auto-loading): Extend the "show auto-load"
	and "info auto-load" examples for safe-path.  Put there also references
	for "set auto-load safe-path" and "show auto-load safe-path".
	New menu item for Auto-loading safe path.
	(Auto-loading safe path): New node.
	(Python Auto-loading): Update the expected output from "Missing"
	to "No".

gdb/testsuite/
2012-03-24  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.python/py-objfile-script.exp (set auto-load safe-path): New.
	* gdb.python/py-section-script.exp (set auto-load safe-path): New.

--- a/gdb/NEWS
+++ b/gdb/NEWS
@@ -149,6 +149,11 @@ set auto-load libthread-db on|off
 show auto-load libthread-db
   Control auto-loading of inferior specific thread debugging shared library.
 
+set auto-load safe-path <dir1>[:<dir2>...]
+show auto-load safe-path
+  Set a list of directories from which it is safe to auto-load files.
+  The delimiter (':' above) may differ according to the host platform.
+
 * New remote packets
 
 z0/z1 conditional breakpoints extension
--- a/gdb/auto-load.c
+++ b/gdb/auto-load.c
@@ -32,6 +32,8 @@
 #include "gdbcmd.h"
 #include "cli/cli-decode.h"
 #include "cli/cli-setshow.h"
+#include "gdb_vecs.h"
+#include "readline/tilde.h"
 
 /* The suffix of per-objfile scripts to auto-load as non-Python command files.
    E.g. When the program loads libfoo.so, look for libfoo-gdb.gdb.  */
@@ -90,6 +92,181 @@ show_auto_load_local_gdbinit (struct ui_file *file, int from_tty,
 		    value);
 }
 
+/* Directory list safe to hold auto-loaded files.  It is not checked for
+   absolute paths but they are strongly recommended.  It is initialized by
+   _initialize_auto_load.  */
+static char *auto_load_safe_path;
+
+/* Vector of directory elements of AUTO_LOAD_SAFE_PATH with each one normalized
+   by tilde_expand and possibly each entries has added its gdb_realpath
+   counterpart.  */
+static VEC (char_ptr) *auto_load_safe_path_vec;
+
+/* Update auto_load_safe_path_vec from current AUTO_LOAD_SAFE_PATH.  */
+
+static void
+auto_load_safe_path_vec_update (void)
+{
+  VEC (char_ptr) *dir_vec = NULL;
+  unsigned len;
+  int ix;
+
+  free_char_ptr_vec (auto_load_safe_path_vec);
+
+  auto_load_safe_path_vec = dirnames_to_char_ptr_vec (auto_load_safe_path);
+  len = VEC_length (char_ptr, auto_load_safe_path_vec);
+
+  /* Apply tilde_expand and gdb_realpath to each AUTO_LOAD_SAFE_PATH_VEC
+     element.  */
+  for (ix = 0; ix < len; ix++)
+    {
+      char *dir = VEC_index (char_ptr, auto_load_safe_path_vec, ix);
+      char *expanded = tilde_expand (dir);
+      char *real_path = gdb_realpath (expanded);
+
+      /* Ensure the current entry is at least tilde_expand-ed.  */
+      xfree (dir);
+      VEC_replace (char_ptr, auto_load_safe_path_vec, ix, expanded);
+
+      /* If gdb_realpath returns a different content, append it.  */
+      if (strcmp (real_path, expanded) == 0)
+	xfree (real_path);
+      else
+	VEC_safe_push (char_ptr, auto_load_safe_path_vec, real_path);
+    }
+}
+
+/* "set" command for the auto_load_safe_path configuration variable.  */
+
+static void
+set_auto_load_safe_path (char *args, int from_tty, struct cmd_list_element *c)
+{
+  auto_load_safe_path_vec_update ();
+}
+
+/* "show" command for the auto_load_safe_path configuration variable.  */
+
+static void
+show_auto_load_safe_path (struct ui_file *file, int from_tty,
+			  struct cmd_list_element *c, const char *value)
+{
+  if (*value == 0)
+    fprintf_filtered (file, _("Auto-load files are safe to load from any "
+			      "directory.\n"));
+  else
+    fprintf_filtered (file, _("List of directories from which it is safe to "
+			      "auto-load files is %s.\n"),
+		      value);
+}
+
+/* "add-auto-load-safe-path" command for the auto_load_safe_path configuration
+   variable.  */
+
+static void
+add_auto_load_safe_path (char *args, int from_tty)
+{
+  char *s;
+
+  if (args == NULL || *args == 0)
+    error (_("\
+Adding empty directory element disables the auto-load safe-path security.  \
+Use 'set auto-load safe-path' instead if you mean that."));
+
+  s = xstrprintf ("%s%c%s", auto_load_safe_path, DIRNAME_SEPARATOR, args);
+  xfree (auto_load_safe_path);
+  auto_load_safe_path = s;
+
+  auto_load_safe_path_vec_update ();
+}
+
+/* Return 1 if FILENAME is equal to DIR or if FILENAME belongs to the
+   subdirectory DIR.  Return 0 otherwise.  gdb_realpath normalization is never
+   done here.  */
+
+static ATTRIBUTE_PURE int
+filename_is_in_dir (const char *filename, const char *dir)
+{
+  size_t dir_len = strlen (dir);
+
+  while (dir_len && IS_DIR_SEPARATOR (dir[dir_len - 1]))
+    dir_len--;
+
+  return (filename_ncmp (dir, filename, dir_len) == 0
+	  && (IS_DIR_SEPARATOR (filename[dir_len])
+	      || filename[dir_len] == '\0'));
+}
+
+/* Return 1 if FILENAME belongs to one of directory components of
+   AUTO_LOAD_SAFE_PATH_VEC.  Return 0 otherwise.
+   auto_load_safe_path_vec_update is never called.
+   *FILENAME_REALP may be updated by gdb_realpath of FILENAME - it has to be
+   freed by the caller.  */
+
+static int
+filename_is_in_auto_load_safe_path_vec (const char *filename,
+					char **filename_realp)
+{
+  char *dir;
+  int ix;
+
+  for (ix = 0; VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, dir); ++ix)
+    if (*filename_realp == NULL && filename_is_in_dir (filename, dir))
+      break;
+  
+  if (dir == NULL)
+    {
+      if (*filename_realp == NULL)
+	*filename_realp = gdb_realpath (filename);
+
+      for (ix = 0; VEC_iterate (char_ptr, auto_load_safe_path_vec, ix, dir);
+	   ++ix)
+	if (filename_is_in_dir (*filename_realp, dir))
+	  break;
+    }
+
+  if (dir != NULL)
+    return 1;
+
+  return 0;
+}
+
+/* Return 1 if FILENAME is located in one of the directories of
+   AUTO_LOAD_SAFE_PATH.  Otherwise call warning and return 0.  FILENAME does
+   not have to be an absolute path.
+
+   Existence of FILENAME is not checked.  Function will still give a warning
+   even if the caller would quietly skip non-existing file in unsafe
+   directory.  */
+
+int
+file_is_auto_load_safe (const char *filename)
+{
+  char *filename_real = NULL;
+  struct cleanup *back_to;
+
+  back_to = make_cleanup (free_current_contents, &filename_real);
+
+  if (filename_is_in_auto_load_safe_path_vec (filename, &filename_real))
+    {
+      do_cleanups (back_to);
+      return 1;
+    }
+
+  auto_load_safe_path_vec_update ();
+  if (filename_is_in_auto_load_safe_path_vec (filename, &filename_real))
+    {
+      do_cleanups (back_to);
+      return 1;
+    }
+
+  warning (_("File \"%s\" auto-loading has been declined by your "
+	     "`auto-load safe-path' set to \"%s\"."),
+	   filename_real, auto_load_safe_path);
+
+  do_cleanups (back_to);
+  return 0;
+}
+
 /* Definition of script language for GDB canned sequences of commands.  */
 
 static const struct script_language script_language_gdb
@@ -99,13 +276,20 @@ static void
 source_gdb_script_for_objfile (struct objfile *objfile, FILE *file,
 			       const char *filename)
 {
+  int is_safe;
   struct auto_load_pspace_info *pspace_info;
   volatile struct gdb_exception e;
 
+  is_safe = file_is_auto_load_safe (filename);
+
   /* Add this script to the hash table too so "info auto-load gdb-scripts"
      can print it.  */
   pspace_info = get_auto_load_pspace_data_for_loading (current_program_space);
-  maybe_add_script (pspace_info, filename, filename, &script_language_gdb);
+  maybe_add_script (pspace_info, is_safe, filename, filename,
+		    &script_language_gdb);
+
+  if (!is_safe)
+    return;
 
   TRY_CATCH (e, RETURN_MASK_ALL)
     {
@@ -140,6 +324,9 @@ struct loaded_script
      inaccessible).  */
   const char *full_path;
 
+  /* Non-zero if this script has been loaded.  */
+  int loaded;
+
   const struct script_language *language;
 };
 
@@ -232,12 +419,13 @@ get_auto_load_pspace_data_for_loading (struct program_space *pspace)
   return info;
 }
 
-/* Add script NAME in LANGUAGE to hash table of PSPACE_INFO.
-   FULL_PATH is NULL if the script wasn't found.  The result is
+/* Add script NAME in LANGUAGE to hash table of PSPACE_INFO.  LOADED 1 if the
+   script has been (is going to) be loaded, 0 otherwise (such as if it has not
+   been found).  FULL_PATH is NULL if the script wasn't found.  The result is
    true if the script was already in the hash table.  */
 
 int
-maybe_add_script (struct auto_load_pspace_info *pspace_info,
+maybe_add_script (struct auto_load_pspace_info *pspace_info, int loaded,
 		  const char *name, const char *full_path,
 		  const struct script_language *language)
 {
@@ -271,6 +459,7 @@ maybe_add_script (struct auto_load_pspace_info *pspace_info,
 	}
       else
 	(*slot)->full_path = NULL;
+      (*slot)->loaded = loaded;
       (*slot)->language = language;
     }
 
@@ -432,7 +621,7 @@ print_script (struct loaded_script *script)
 
   chain = make_cleanup_ui_out_tuple_begin_end (uiout, NULL);
 
-  ui_out_field_string (uiout, "loaded", script->full_path ? "Yes" : "Missing");
+  ui_out_field_string (uiout, "loaded", script->loaded ? "Yes" : "No");
   ui_out_field_string (uiout, "script", script->name);
   ui_out_text (uiout, "\n");
 
@@ -757,4 +946,28 @@ This options has security implications for untrusted inferiors."),
 	   _("Print whether current directory .gdbinit file has been loaded.\n\
 Usage: info auto-load local-gdbinit"),
 	   auto_load_info_cmdlist_get ());
+
+  auto_load_safe_path = xstrdup (DEFAULT_AUTO_LOAD_SAFE_PATH);
+  auto_load_safe_path_vec_update ();
+  add_setshow_optional_filename_cmd ("safe-path", class_support,
+				     &auto_load_safe_path, _("\
+Set the list of directories from which it is safe to auto-load files."), _("\
+Show the list of directories from which it is safe to auto-load files."), _("\
+Various files loaded automatically for the 'set auto-load ...' options must\n\
+be located in one of the directories listed by this option.  Warning will be\n\
+printed and file will not be used otherwise.  Use empty string (or even\n\
+empty directory entry) to allow any file for the 'set auto-load ...' options.\n\
+This option is ignored for the kinds of files having 'set auto-load ... off'.\n\
+This options has security implications for untrusted inferiors."),
+				     set_auto_load_safe_path,
+				     show_auto_load_safe_path,
+				     auto_load_set_cmdlist_get (),
+				     auto_load_show_cmdlist_get ());
+
+  add_cmd ("add-auto-load-safe-path", class_support, add_auto_load_safe_path,
+	   _("Add entries to the list of directories from which it is safe "
+	     "to auto-load files.\n\
+See the commands 'set auto-load safe-path' and 'show auto-load safe-path' to\n\
+access the current full list setting."),
+	   &cmdlist);
 }
--- a/gdb/auto-load.h
+++ b/gdb/auto-load.h
@@ -39,7 +39,8 @@ extern int auto_load_local_gdbinit_loaded;
 extern struct auto_load_pspace_info *
   get_auto_load_pspace_data_for_loading (struct program_space *pspace);
 extern int maybe_add_script (struct auto_load_pspace_info *pspace_info,
-			     const char *name, const char *full_path,
+			     int loaded, const char *name,
+			     const char *full_path,
 			     const struct script_language *language);
 extern void auto_load_objfile_script (struct objfile *objfile,
 				      const struct script_language *language);
@@ -54,4 +55,6 @@ extern struct cmd_list_element **auto_load_set_cmdlist_get (void);
 extern struct cmd_list_element **auto_load_show_cmdlist_get (void);
 extern struct cmd_list_element **auto_load_info_cmdlist_get (void);
 
+extern int file_is_auto_load_safe (const char *filename);
+
 #endif /* AUTO_LOAD_H */
--- a/gdb/config.in
+++ b/gdb/config.in
@@ -43,6 +43,9 @@
    moved. */
 #undef DEBUGDIR_RELOCATABLE
 
+/* Directories safe to hold auto-loaded files. */
+#undef DEFAULT_AUTO_LOAD_SAFE_PATH
+
 /* Define to BFD's default architecture. */
 #undef DEFAULT_BFD_ARCH
 
--- a/gdb/configure
+++ b/gdb/configure
@@ -951,6 +951,7 @@ enable_dependency_tracking
 with_separate_debug_dir
 with_gdb_datadir
 with_relocated_sources
+with_auto_load_safe_path
 enable_targets
 enable_64_bit_bfd
 enable_gdbcli
@@ -1659,6 +1660,10 @@ Optional Packages:
                           [DATADIR/gdb]
   --with-relocated-sources=PATH
                           automatically relocate this path for source files
+  --with-auto-load-safe-path=PATH
+                          directories safe to hold auto-loaded files
+  --without-auto-load-safe-path
+                          do not restrict auto-loaded files locations
   --with-libunwind-ia64   use libunwind frame unwinding for ia64 targets
   --with-curses           use the curses library instead of the termcap
                           library
@@ -7940,6 +7945,32 @@ _ACEOF
 fi
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for default auto-load safe-path" >&5
+$as_echo_n "checking for default auto-load safe-path... " >&6; }
+
+# Check whether --with-auto-load-safe-path was given.
+if test "${with_auto_load_safe_path+set}" = set; then :
+  withval=$with_auto_load_safe_path; if test "$with_auto_load_safe_path" = "no"; then
+   with_auto_load_safe_path=""
+ fi
+else
+  with_auto_load_safe_path="$prefix"
+fi
+
+
+  test "x$prefix" = xNONE && prefix="$ac_default_prefix"
+  test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+  ac_define_dir=`eval echo $with_auto_load_safe_path`
+  ac_define_dir=`eval echo $ac_define_dir`
+
+cat >>confdefs.h <<_ACEOF
+#define DEFAULT_AUTO_LOAD_SAFE_PATH "$ac_define_dir"
+_ACEOF
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_auto_load_safe_path" >&5
+$as_echo "$with_auto_load_safe_path" >&6; }
+
 
 
 subdirs="$subdirs testsuite"
--- a/gdb/configure.ac
+++ b/gdb/configure.ac
@@ -134,6 +134,18 @@ AS_HELP_STRING([--with-relocated-sources=PATH], [automatically relocate this pat
               [Relocated directory for source files. ])
 ])
 
+AC_MSG_CHECKING([for default auto-load safe-path])
+AC_ARG_WITH(auto-load-safe-path,
+AS_HELP_STRING([--with-auto-load-safe-path=PATH], [directories safe to hold auto-loaded files])
+AS_HELP_STRING([--without-auto-load-safe-path], [do not restrict auto-loaded files locations]),
+[if test "$with_auto_load_safe_path" = "no"; then
+   with_auto_load_safe_path=""
+ fi],
+[with_auto_load_safe_path="$prefix"])
+AC_DEFINE_DIR(DEFAULT_AUTO_LOAD_SAFE_PATH, with_auto_load_safe_path,
+	      [Directories safe to hold auto-loaded files.])
+AC_MSG_RESULT([$with_auto_load_safe_path])
+
 AC_CONFIG_SUBDIRS(testsuite)
 
 # Check whether to support alternative target configurations
--- a/gdb/doc/gdb.texinfo
+++ b/gdb/doc/gdb.texinfo
@@ -20743,6 +20743,8 @@ gdb-scripts:  Auto-loading of canned sequences of commands scripts is on.
 libthread-db:  Auto-loading of inferior specific libthread_db is on.
 local-gdbinit:  Auto-loading of .gdbinit script from current directory is on.
 python-scripts:  Auto-loading of Python scripts is on.
+safe-path:  List of directories from which it is safe to auto-load files
+            is /usr/local.
 @end smallexample
 
 @anchor{info auto-load}
@@ -20812,12 +20814,19 @@ These are @value{GDBN} control commands for the auto-loading:
 @tab Show setting of thread debugging library.
 @item @xref{info auto-load libthread-db}.
 @tab Show state of thread debugging library.
+@item @xref{set auto-load safe-path}.
+@tab Control directories trusted for automatic loading.
+@item @xref{show auto-load safe-path}.
+@tab Show directories trusted for automatic loading.
+@item @xref{add-auto-load-safe-path}.
+@tab Add directory trusted for automatic loading.
 @end multitable
 
 @menu
 * Init File in the Current Directory:: @samp{set/show/info auto-load local-gdbinit}
 * libthread_db.so.1 file::             @samp{set/show/info auto-load libthread-db}
 * @var{objfile}-gdb.gdb file::               @samp{set/show/info auto-load gdb-script}
+* Auto-loading safe path::             @samp{set/show/info auto-load safe-path}
 @xref{Python Auto-loading}.
 @end menu
 
@@ -20918,6 +20927,104 @@ auto-loaded.
 If @var{regexp} is supplied only canned sequences of commands scripts with
 matching names are printed.
 
+@node Auto-loading safe path
+@subsection Security restriction for auto-loading
+@cindex auto-loading safe-path
+
+As the files of inferior can come from untrusted source (such as submitted by
+an application user) @value{GDBN} does not always load any files automatically.
+@value{GDBN} provides the @samp{set auto-load safe-path} setting to list
+directories trusted for loading files not explicitly requested by user.
+
+If the path is not set properly you will see a warning and the file will not
+get loaded:
+
+@smallexample
+$ ./gdb -q ./gdb
+Reading symbols from /home/user/gdb/gdb...done.
+warning: File "/home/user/gdb/gdb-gdb.gdb" auto-loading has been
+         declined by your `auto-load safe-path' set to "/usr/local".
+warning: File "/home/user/gdb/gdb-gdb.py" auto-loading has been
+         declined by your `auto-load safe-path' set to "/usr/local".
+@end smallexample
+
+The list of trusted directories is controlled by the following commands:
+
+@table @code
+@anchor{set auto-load safe-path}
+@kindex set auto-load safe-path
+@item set auto-load safe-path @var{directories}
+Set the list of directories (and their subdirectories) trusted for automatic
+loading and execution of scripts.  You can also enter a specific trusted file.
+The list of directories uses directory separator (@samp{:} on GNU and Unix
+systems, @samp{;} on MS-Windows and MS-DOS) to separate directories, similarly
+to the @env{PATH} environment variable.
+
+@anchor{show auto-load safe-path}
+@kindex show auto-load safe-path
+@item show auto-load safe-path
+Show the list of directories trusted for automatic loading and execution of
+scripts.
+
+@anchor{add-auto-load-safe-path}
+@kindex add-auto-load-safe-path
+@item add-auto-load-safe-path
+Add an entry (or list of entries) the list of directories trusted for automatic
+loading and execution of scripts.  Multiple entries may be delimited by the
+host platform directory separator in use.
+@end table
+
+Setting this variable to an empty string disables this security protection.
+This variable is supposed to be set to the system directories writable by the
+system superuser only.  Users can add their source directories in init files in
+their home directories (@pxref{Home Directory Init File}).  See also deprecated
+init file in the current directory
+(@pxref{Init File in the Current Directory during Startup}).
+
+To force @value{GDBN} to load the files it declined to load in the previous
+example, you could use one of the following ways:
+
+@itemize @bullet
+@item ~/.gdbinit: add-auto-load-safe-path ~/src/gdb
+Specify this trusted directory (or a file) as additional component of the list.
+You have to specify also any existing directories displayed by
+by @samp{show auto-load safe-path} (such as @samp{/usr:/bin} in this example).
+
+@item @kbd{gdb -iex "set auto-load safe-path /usr:/bin:~/src/gdb" [@dots{}]}
+Specify this directory as in the previous case but just for a single
+@value{GDBN} session.
+
+@item @kbd{gdb -iex "set auto-load safe-path" [@dots{}]}
+Disable auto-loading safety for a single @value{GDBN} session.
+This assumes all the files you debug during this @value{GDBN} session will come
+from trusted sources.
+
+@item @kbd{./configure --without-auto-load-safe-path}
+During compilation of @value{GDBN} you may disable any auto-loading safety.
+This assumes all the files you will ever debug with this @value{GDBN} come from
+trusted sources.
+@end itemize
+
+On the other hand you can also explicitly forbid automatic files loading which
+also suppresses any such warning messages:
+
+@itemize @bullet
+@item @kbd{gdb -iex "set auto-load no" [@dots{}]}
+You can use @value{GDBN} command-line option for a single @value{GDBN} session.
+
+@item @samp{~/.gdbinit}: @samp{set auto-load no}
+Disable auto-loading globally for the user
+(@pxref{Home Directory Init File}).  While it is improbable, you could also
+use system init file instead (@pxref{System-wide configuration}).
+@end itemize
+
+This setting applies to the pathnames as entered by user.  If no entry matches
+@value{GDBN} tries as a last resort to also resolve all the pathnames into
+their canonical form (typically resolving symbolic links) and compare the
+entries again.  @value{GDBN} already canonicalizes most of the filenames on its
+own before starting the comparison so a canonical form of directories is
+recommended to be entered.
+
 @node Messages/Warnings
 @section Optional Warnings and Messages
 
@@ -24984,10 +25091,10 @@ Example:
 
 @smallexample
 (gdb) info auto-load python-scripts
-Loaded  Script
-Yes     py-section-script.py
-        full name: /tmp/py-section-script.py
-Missing my-foo-pretty-printers.py
+Loaded Script
+Yes    py-section-script.py
+       full name: /tmp/py-section-script.py
+No     my-foo-pretty-printers.py
 @end smallexample
 @end table
 
--- a/gdb/linux-thread-db.c
+++ b/gdb/linux-thread-db.c
@@ -869,7 +869,11 @@ try_thread_db_load_from_pdir_1 (struct objfile *obj)
   /* This should at minimum hit the first character.  */
   gdb_assert (cp != NULL);
   strcpy (cp + 1, LIBTHREAD_DB_SO);
-  result = try_thread_db_load (path);
+
+  if (!file_is_auto_load_safe (path))
+    result = 0;
+  else
+    result = try_thread_db_load (path);
 
   do_cleanups (cleanup);
   return result;
@@ -935,7 +939,11 @@ try_thread_db_load_from_dir (const char *dir, size_t dir_len)
   memcpy (path, dir, dir_len);
   path[dir_len] = '/';
   strcpy (path + dir_len + 1, LIBTHREAD_DB_SO);
-  result = try_thread_db_load (path);
+
+  if (!file_is_auto_load_safe (path))
+    result = 0;
+  else
+    result = try_thread_db_load (path);
 
   do_cleanups (cleanup);
   return result;
--- a/gdb/main.c
+++ b/gdb/main.c
@@ -944,7 +944,8 @@ captured_main (void *data)
     {
       auto_load_local_gdbinit_pathname = gdb_realpath (local_gdbinit);
 
-      if (!inhibit_gdbinit && auto_load_local_gdbinit)
+      if (!inhibit_gdbinit && auto_load_local_gdbinit
+	  && file_is_auto_load_safe (local_gdbinit))
 	{
 	  auto_load_local_gdbinit_loaded = 1;
 
--- a/gdb/python/py-auto-load.c
+++ b/gdb/python/py-auto-load.c
@@ -72,14 +72,19 @@ static void
 gdbpy_load_auto_script_for_objfile (struct objfile *objfile, FILE *file,
 				    const char *filename)
 {
+  int is_safe;
   struct auto_load_pspace_info *pspace_info;
 
+  is_safe = file_is_auto_load_safe (filename);
+
   /* Add this script to the hash table too so "info auto-load python-scripts"
      can print it.  */
   pspace_info = get_auto_load_pspace_data_for_loading (current_program_space);
-  maybe_add_script (pspace_info, filename, filename, &script_language_python);
+  maybe_add_script (pspace_info, is_safe, filename, filename,
+		    &script_language_python);
 
-  source_python_script_for_objfile (objfile, file, filename);
+  if (is_safe)
+    source_python_script_for_objfile (objfile, file, filename);
 }
 
 /* Load scripts specified in OBJFILE.
@@ -147,6 +152,9 @@ source_section_scripts (struct objfile *objfile, const char *source_name,
 	{
 	  make_cleanup_fclose (stream);
 	  make_cleanup (xfree, full_path);
+
+	  if (!file_is_auto_load_safe (full_path))
+	    opened = 0;
 	}
       else
 	{
@@ -167,7 +175,7 @@ Use `info auto-load python [REGEXP]' to list them."),
 
 	 IWBN if complaints.c were more general-purpose.  */
 
-      in_hash_table = maybe_add_script (pspace_info, file, full_path,
+      in_hash_table = maybe_add_script (pspace_info, opened, file, full_path,
 					&script_language_python);
 
       /* If this file is not currently loaded, load it.  */
--- a/gdb/testsuite/gdb.python/py-objfile-script.exp
+++ b/gdb/testsuite/gdb.python/py-objfile-script.exp
@@ -37,6 +37,7 @@ if { [skip_python_tests] } { continue }
 set remote_python_file [remote_download host ${srcdir}/${subdir}/${testfile}-gdb.py.in ${subdir}/${testfile}-gdb.py]
 
 gdb_reinitialize_dir $srcdir/$subdir
+gdb_test_no_output "set auto-load safe-path ${remote_python_file}" "set auto-load safe-path"
 gdb_load ${binfile}
 
 # Verify gdb loaded the script.
--- a/gdb/testsuite/gdb.python/py-section-script.exp
+++ b/gdb/testsuite/gdb.python/py-section-script.exp
@@ -49,6 +49,7 @@ if { [skip_python_tests] } { continue }
 set remote_python_file [remote_download host ${srcdir}/${subdir}/${testfile}.py]
 
 gdb_reinitialize_dir $srcdir/$subdir
+gdb_test_no_output "set auto-load safe-path ${remote_python_file}" "set auto-load safe-path"
 gdb_load ${binfile}
 
 # Verify gdb loaded the script.

Re: [patch#3 5/8] set auto-load safe-path

[Joel Brobecker]

Sorry to be coming this late in the discussion, but I thought I'd make
one comment about the documentation:

> gdb/doc/
> 2012-03-29  Jan Kratochvil  <jan.kratochvil@redhat.com>
> 
> 	* gdb.texinfo (Auto-loading): Extend the "show auto-load"
> 	and "info auto-load" examples for safe-path.  Put there also references
> 	for "set auto-load safe-path" and "show auto-load safe-path".
> 	New menu item for Auto-loading safe path.
> 	(Auto-loading safe path): New node.
> 	(Python Auto-loading): Update the expected output from "Missing"
> 	to "No".

I was trying to familiarize myself how things work, now, in terms of
auto-loading, so I started reading the documetnation and I really got
tricked into thinking that I'd be fine, and that things hadn't changed.
The problem is that setting such as "set auto-load local-gdbint on"
is not sufficient to get local .gdbinit files to get loaded automatically.
I was really surprised when I got a warning while trying to debug GDB.

I accept the new behavior, and the security claim, no problem.
I just think that we can improve on the documentation as follow:

In my opinion, we should definitely mention the "auto-load safe-path"
setting at the very beginning of the auto-load section, before we start
talking about the various kinds of files that can be automatically
loaded. And I also think that it would be beneficial to add a reference
to the safe-path setting in all "set auto-load ..." commands, to make
sure that people who quickly search the documentation do not miss the
important fact that setting "auto-load local-gdbinit" to "on" might not
be sufficient.

And lastly, it would have been nice if, after reading the documentation,
the user could have had a sense of what policy GDB implements by default.
For instance, GDB's default policy is to enable auto-loading of all
files, but only from trusted directories specified via the "auto-load
safe-path" setting.

-- 
Joel

Re: [patch#3 5/8] set auto-load safe-path

[Eli Zaretskii]

> Date: Tue, 8 May 2012 21:21:29 -0700
> From: Joel Brobecker <brobecker@adacore.com>
> Cc: gdb-patches@sourceware.org, Eli Zaretskii <eliz@gnu.org>
> 
> I accept the new behavior, and the security claim, no problem.
> I just think that we can improve on the documentation as follow:
> 
> In my opinion, we should definitely mention the "auto-load safe-path"
> setting at the very beginning of the auto-load section, before we start
> talking about the various kinds of files that can be automatically
> loaded. And I also think that it would be beneficial to add a reference
> to the safe-path setting in all "set auto-load ..." commands, to make
> sure that people who quickly search the documentation do not miss the
> important fact that setting "auto-load local-gdbinit" to "on" might not
> be sufficient.
> 
> And lastly, it would have been nice if, after reading the documentation,
> the user could have had a sense of what policy GDB implements by default.
> For instance, GDB's default policy is to enable auto-loading of all
> files, but only from trusted directories specified via the "auto-load
> safe-path" setting.

I would welcome patches ;-)

Re: [patch#3 5/8] set auto-load safe-path

[Jan Kratochvil]

On Wed, 09 May 2012 06:21:29 +0200, Joel Brobecker wrote:
> Sorry to be coming this late in the discussion, but I thought I'd make
> one comment about the documentation:

OK, thanks, going to post documentation update (I even already have some
different auto-load doc updates prepared).

I am more curious the message
	warning: File "/home/user/src/gdb/.gdbinit" auto-loading has been declined by your `auto-load safe-path' set to "/usr/local".

already does not suggest you what to do, without ever needing to open the
documentation.  Whether the warning message could not be (also) improved.


Thanks,
Jan

Re: [patch#3 5/8] set auto-load safe-path

[Joel Brobecker]

> OK, thanks, going to post documentation update (I even already have some
> different auto-load doc updates prepared).

Thanks, Jan.

> I am more curious the message
> 	warning: File "/home/user/src/gdb/.gdbinit" auto-loading has
> been declined by your `auto-load safe-path' set to "/usr/local".
> 
> already does not suggest you what to do, without ever needing to open the
> documentation.  Whether the warning message could not be (also) improved.

That's because I decided to learn about this new feature from
the documentation instead of from experimentation. I got the warning
afterwards. The warning was informative and pointed me in the right
direction.

-- 
Joel

[doc patch] auto-load: Make more set auto-load safe-path references [Re: [patch#3 5/8] set auto-load safe-path]

[Jan Kratochvil]

Hi Joel,

On Wed, 09 May 2012 06:21:29 +0200, Joel Brobecker wrote:
> In my opinion, we should definitely mention the "auto-load safe-path"
> setting at the very beginning of the auto-load section, before we start
> talking about the various kinds of files that can be automatically
> loaded. And I also think that it would be beneficial to add a reference
> to the safe-path setting in all "set auto-load ..." commands, to make
> sure that people who quickly search the documentation do not miss the
> important fact that setting "auto-load local-gdbinit" to "on" might not
> be sufficient.

attached.


> And lastly, it would have been nice if, after reading the documentation,
> the user could have had a sense of what policy GDB implements by default.
> For instance, GDB's default policy is to enable auto-loading of all
> files, but only from trusted directories specified via the "auto-load
> safe-path" setting.

There is already that paragraph (in Node: Auto-loading safe path):

   Setting this variable to `/' disables this security protection,
corresponding GDB configuration option is
`--without-auto-load-safe-path'.  This variable is supposed to be set
to the system directories writable by the system superuser only.  Users
can add their source directories in init files in their home
directories (*note Home Directory Init File::).  See also deprecated
init file in the current directory (*note Init File in the Current
Directory during Startup::).

Do you find it insufficient?


Thanks,
Jan


gdb/doc
2012-05-09  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.texinfo (Auto-loading, Init File in the Current Directory)
	(libthread_db.so.1 file, objfile-gdb.gdb file, objfile-gdb.py file)
	(dotdebug_gdb_scripts section): Add reference
	to 'Auto-loading safe path'.

--- a/gdb/doc/gdb.texinfo
+++ b/gdb/doc/gdb.texinfo
@@ -20973,6 +20973,10 @@ without being explicitly told so by the user.  We call this feature
 results or introduce security risks (e.g., if the file comes from untrusted
 sources).
 
+Notice loading of these associated files (including the local @file{.gdbinit}
+file) requires accordingly configured @code{auto-load safe-path}
+(@pxref{Auto-loading safe path}).
+
 For these reasons, @value{GDBN} includes commands and options to let you
 control when to auto-load files and which files should be auto-loaded.
 
@@ -21110,6 +21114,9 @@ By default, @value{GDBN} reads and executes the canned sequences of commands
 from init file (if any) in the current working directory,
 see @ref{Init File in the Current Directory during Startup}.
 
+Notice loading of this local @file{.gdbinit} file also requires accordingly
+configured @code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load local-gdbinit}
 @kindex set auto-load local-gdbinit
@@ -21146,6 +21153,9 @@ libraries have to be trusted in general.  In all other cases of
 auto-load libthread-db} is enabled before trying to open such thread debugging
 library.
 
+Notice loading of this debugging library also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load libthread-db}
 @kindex set auto-load libthread-db
@@ -21173,6 +21183,9 @@ for each such library print list of inferior @var{pid}s using it.
 canned sequences of commands (@pxref{Sequences}), as long as @samp{set
 auto-load gdb-scripts} is set to @samp{on}.
 
+Notice loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 For more background refer to the similar Python scripts auto-loading
 description (@pxref{objfile-gdb.py file}).
 
@@ -25463,7 +25476,10 @@ then @value{GDBN} will look for @var{script-name} in all of the
 directories mentioned in the value of @code{debug-file-directory}.
 
 Finally, if this file does not exist, then @value{GDBN} will look for
-@var{script-name} file in all of the directories specified by:
+@var{script-name} file in all of the directories as specified below.
+
+Notice loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
 
 @table @code
 @anchor{set auto-load scripts-directory}
@@ -25539,6 +25555,9 @@ DEFINE_GDB_SCRIPT ("my-app-scripts.py")
 
 The script name may include directories if desired.
 
+Notice loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 If the macro is put in a header, any application or library
 using this header will get a reference to the specified script.
 

Re: [doc patch] auto-load: Make more set auto-load safe-path references [Re: [patch#3 5/8] set auto-load safe-path]

[Eli Zaretskii]

> Date: Wed, 9 May 2012 20:25:55 +0200
> From: Jan Kratochvil <jan.kratochvil@redhat.com>
> Cc: gdb-patches@sourceware.org, Eli Zaretskii <eliz@gnu.org>
> 
> +Notice loading of these associated files (including the local @file{.gdbinit}
   ^^^^^^
"Note that ..." instead of "Notice".  Likewise elsewhere.

Thanks.

Re: [doc patch] auto-load: Make more set auto-load safe-path references [Re: [patch#3 5/8] set auto-load safe-path]

[Jan Kratochvil]

On Wed, 09 May 2012 20:47:27 +0200, Eli Zaretskii wrote:
> > Date: Wed, 9 May 2012 20:25:55 +0200
> > From: Jan Kratochvil <jan.kratochvil@redhat.com>
> > Cc: gdb-patches@sourceware.org, Eli Zaretskii <eliz@gnu.org>
> > 
> > +Notice loading of these associated files (including the local @file{.gdbinit}
>    ^^^^^^
> "Note that ..." instead of "Notice".  Likewise elsewhere.

Updated.

(Not yet checked in so I do not have to resolve patch dependency conflicts,
besides not yet commented by Joel).


Thanks,
Jan


gdb/doc
2012-05-09  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* gdb.texinfo (Auto-loading, Init File in the Current Directory)
	(libthread_db.so.1 file, objfile-gdb.gdb file, objfile-gdb.py file)
	(dotdebug_gdb_scripts section): Add reference
	to 'Auto-loading safe path'.

--- a/gdb/doc/gdb.texinfo
+++ b/gdb/doc/gdb.texinfo
@@ -20973,6 +20973,10 @@ without being explicitly told so by the user.  We call this feature
 results or introduce security risks (e.g., if the file comes from untrusted
 sources).
 
+Note that loading of these associated files (including the local @file{.gdbinit}
+file) requires accordingly configured @code{auto-load safe-path}
+(@pxref{Auto-loading safe path}).
+
 For these reasons, @value{GDBN} includes commands and options to let you
 control when to auto-load files and which files should be auto-loaded.
 
@@ -21110,6 +21114,9 @@ By default, @value{GDBN} reads and executes the canned sequences of commands
 from init file (if any) in the current working directory,
 see @ref{Init File in the Current Directory during Startup}.
 
+Note that loading of this local @file{.gdbinit} file also requires accordingly
+configured @code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load local-gdbinit}
 @kindex set auto-load local-gdbinit
@@ -21146,6 +21153,9 @@ libraries have to be trusted in general.  In all other cases of
 auto-load libthread-db} is enabled before trying to open such thread debugging
 library.
 
+Note that loading of this debugging library also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load libthread-db}
 @kindex set auto-load libthread-db
@@ -21173,6 +21183,9 @@ for each such library print list of inferior @var{pid}s using it.
 canned sequences of commands (@pxref{Sequences}), as long as @samp{set
 auto-load gdb-scripts} is set to @samp{on}.
 
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 For more background refer to the similar Python scripts auto-loading
 description (@pxref{objfile-gdb.py file}).
 
@@ -25463,7 +25476,10 @@ then @value{GDBN} will look for @var{script-name} in all of the
 directories mentioned in the value of @code{debug-file-directory}.
 
 Finally, if this file does not exist, then @value{GDBN} will look for
-@var{script-name} file in all of the directories specified by:
+@var{script-name} file in all of the directories as specified below.
+
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
 
 @table @code
 @anchor{set auto-load scripts-directory}
@@ -25540,6 +25556,9 @@ DEFINE_GDB_SCRIPT ("my-app-scripts.py")
 
 The script name may include directories if desired.
 
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 If the macro is put in a header, any application or library
 using this header will get a reference to the specified script.
 

Re: [doc patch] auto-load: Make more set auto-load safe-path references [Re: [patch#3 5/8] set auto-load safe-path]

[Joel Brobecker]

> attached.

Thanks!

> > And lastly, it would have been nice if, after reading the documentation,
> > the user could have had a sense of what policy GDB implements by default.
> > For instance, GDB's default policy is to enable auto-loading of all
> > files, but only from trusted directories specified via the "auto-load
> > safe-path" setting.
> 
> There is already that paragraph (in Node: Auto-loading safe path):
> 
>    Setting this variable to `/' disables this security protection,
> corresponding GDB configuration option is
> `--without-auto-load-safe-path'.  This variable is supposed to be set
> to the system directories writable by the system superuser only.  Users
> can add their source directories in init files in their home
> directories (*note Home Directory Init File::).  See also deprecated
> init file in the current directory (*note Init File in the Current
> Directory during Startup::).
> 
> Do you find it insufficient?

I just find it more logical to have it at the beginning, rather than
the end. The way I see it, "set auto-load safe-path" is the first
barrier involved in determining whether to auto-load a file or not.

But I'm fine either way. I think your patch is already a good
improvement as it is.

Thanks, Jan.
-- 
Joel

[commit] [doc patch] auto-load: Make more set auto-load safe-path references [Re: [patch#3 5/8] set auto-load safe-path]

[Jan Kratochvil]

On Wed, 09 May 2012 21:58:22 +0200, Joel Brobecker wrote:
> I just find it more logical to have it at the beginning, rather than
> the end. The way I see it, "set auto-load safe-path" is the first
> barrier involved in determining whether to auto-load a file or not.

While writing it I was pushing various paragraphs to the top but it has
problems that:

 * Every paragraph is pretty important.
 * The @node has to have some logical structure.  While it may look so the
   text I produce is not completely random, I try to keep it structured.

Also I believe most of the users should be enough with the warning message
about "auto-load safe-path".  Who opens the documentation I believe is OK to
read at least whole that one @node.


> But I'm fine either way. I think your patch is already a good
> improvement as it is.

Checked in.


Thanks,
Jan


http://sourceware.org/ml/gdb-cvs/2012-05/msg00082.html

--- src/gdb/doc/ChangeLog	2012/05/11 18:20:26	1.1313
+++ src/gdb/doc/ChangeLog	2012/05/11 18:23:11	1.1314
@@ -1,5 +1,12 @@
 2012-05-11  Jan Kratochvil  <jan.kratochvil@redhat.com>
 
+	* gdb.texinfo (Auto-loading, Init File in the Current Directory)
+	(libthread_db.so.1 file, objfile-gdb.gdb file, objfile-gdb.py file)
+	(dotdebug_gdb_scripts section): Add reference
+	to 'Auto-loading safe path'.
+
+2012-05-11  Jan Kratochvil  <jan.kratochvil@redhat.com>
+
 	Implement multi-component --with-auto-load-dir.
 	* gdb.texinfo (Auto-loading): New references
 	for 'set auto-load scripts-directory'
--- src/gdb/doc/gdb.texinfo	2012/05/11 18:20:26	1.959
+++ src/gdb/doc/gdb.texinfo	2012/05/11 18:23:11	1.960
@@ -20973,6 +20973,10 @@
 results or introduce security risks (e.g., if the file comes from untrusted
 sources).
 
+Note that loading of these associated files (including the local @file{.gdbinit}
+file) requires accordingly configured @code{auto-load safe-path}
+(@pxref{Auto-loading safe path}).
+
 For these reasons, @value{GDBN} includes commands and options to let you
 control when to auto-load files and which files should be auto-loaded.
 
@@ -21112,6 +21116,9 @@
 from init file (if any) in the current working directory,
 see @ref{Init File in the Current Directory during Startup}.
 
+Note that loading of this local @file{.gdbinit} file also requires accordingly
+configured @code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load local-gdbinit}
 @kindex set auto-load local-gdbinit
@@ -21148,6 +21155,9 @@
 auto-load libthread-db} is enabled before trying to open such thread debugging
 library.
 
+Note that loading of this debugging library also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 @table @code
 @anchor{set auto-load libthread-db}
 @kindex set auto-load libthread-db
@@ -21175,6 +21185,9 @@
 canned sequences of commands (@pxref{Sequences}), as long as @samp{set
 auto-load gdb-scripts} is set to @samp{on}.
 
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 For more background refer to the similar Python scripts auto-loading
 description (@pxref{objfile-gdb.py file}).
 
@@ -25465,7 +25478,10 @@
 directories mentioned in the value of @code{debug-file-directory}.
 
 Finally, if this file does not exist, then @value{GDBN} will look for
-@var{script-name} file in all of the directories specified by:
+@var{script-name} file in all of the directories as specified below.
+
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
 
 @table @code
 @anchor{set auto-load scripts-directory}
@@ -25542,6 +25558,9 @@
 
 The script name may include directories if desired.
 
+Note that loading of this script file also requires accordingly configured
+@code{auto-load safe-path} (@pxref{Auto-loading safe path}).
+
 If the macro is put in a header, any application or library
 using this header will get a reference to the specified script.