system-info-tool: Fix to use mkdir() instead of system("/usr/bin/mkdir")

In contrast to the older tizen version, the system-info-tool has changed
to be installed on the image by default. Therefore it becomes important
that the execution of shell command injection(CWE-77, CWE-78). To prevent
this, use mkdir() syscall instead.

Change-Id: Ibd60eb6461f457c125b4739ee8e263cb8dd5c4cb
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

diff --git a/tool/system-info-tool-set.c b/tool/system-info-tool-set.c
index 94000781f2db930fdd6122f09e1ec8b3635677c4..07ef894edf864e06d18e8e542103380c98be5de0 100644 (file)
--- a/tool/system-info-tool-set.c
+++ b/tool/system-info-tool-set.c
@@ -5,6 +5,8 @@
 #include <getopt.h>
 #include <errno.h>
 #include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #include "system-info-tool.h"
 #include "system-info-tool-get.h"
@@ -221,9 +223,39 @@ static int system_info_tool_set_entry(const char *key, struct value value)
                return add_new_entry(key, value);
 }
 
+static int mkdir_p(const char *path, mode_t mode)
+{
+       char dir[PATH_MAX] = { 0 , };
+       int ret;
+
+       if (!path || path[0] != '/')
+               return -EINVAL;
+
+       ret = snprintf(dir, PATH_MAX, "%s", path);
+       if (ret < 0)
+               return -EIO;
+
+       if (ret >= PATH_MAX)
+               return -ENAMETOOLONG;
+
+       for (char *p = strchr(dir + 1, '/'); p; p = strchr(p + 1, '/')) {
+               *p = '\0';
+               ret = mkdir(dir, mode);
+               if (ret < 0 && errno != EEXIST)
+                       return -errno;
+               *p = '/';
+       }
+
+       ret = mkdir(dir, mode);
+       if (ret < 0 && errno != EEXIST)
+               return -errno;
+
+       return 0;
+}
+
 static int system_info_tool_init_rw_database(void)
 {
-       return system("/usr/bin/mkdir -p "SYSTEM_INFO_DB_RW_PATH);
+       return mkdir_p(SYSTEM_INFO_DB_RW_PATH, 0755);
 }
 
 int system_info_tool_set(int argc, char *argv[])