1.0.10

2022-01-31 16:52:00 +01:00 · 2022-01-31 16:52:00 +01:00 · f5d648027a
parent 085b706131
commit f5d648027a
5 changed files with 82 additions and 6 deletions
--- a/Sandboxie/common/my_version.h
+++ b/Sandboxie/common/my_version.h
@ -21,8 +21,8 @@
 #ifndef _MY_VERSION_H
 #define _MY_VERSION_H

-#define MY_VERSION_BINARY       5,55,9
-#define MY_VERSION_STRING       "5.55.9"
+#define MY_VERSION_BINARY       5,55,10
+#define MY_VERSION_STRING       "5.55.10"
 #define MY_VERSION_COMPAT		"5.55.0" // this refers to the driver ABI compatibility

 // These #defines are used by either Resource Compiler, or by NSIC installer
--- a/Sandboxie/core/svc/ProcessServer.cpp
+++ b/Sandboxie/core/svc/ProcessServer.cpp
@ -28,6 +28,7 @@
 #include "DriverAssist.h"
 #include "GuiServer.h"
 #include "GuiWire.h"
+#include "FileServer.h"
 #include "misc.h"
 #include "common/defines.h"
 #include "common/my_version.h"
@ -537,7 +538,14 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg)
                    *ptr = L'\0'; // end cmd where lpApplicationName ends
                    WCHAR* lpProgram = wcsrchr(lpApplicationName, L'\\');
                    if (lpProgram) {
-                        if (SbieDll_CheckStringInList(lpProgram + 1, boxname, L"BreakoutProcess")
+
+                        //
+                        // check if the process/directory is configued for breakout
+                        // if its a BreakoutProcess we must also test if the path is not in the sandbox itself
+                        //
+
+                        if ((SbieDll_CheckStringInList(lpProgram + 1, boxname, L"BreakoutProcess")
+                            && IsHostPath((HANDLE)(ULONG_PTR)CallerPid, lpApplicationName))
                            || SbieDll_CheckPatternInList(lpApplicationName, (ULONG)(lpProgram - lpApplicationName), boxname, L"BreakoutFolder")) {

                            //
@ -557,7 +565,7 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg)
                                index = SbieApi_EnumBoxes(index, BoxName);
                                if (index == -1)
                                    break;
-                                
+
                                if (SbieDll_CheckStringInList(lpProgram + 1, BoxName, L"ForceProcess")
                                    || SbieDll_CheckPatternInList(lpApplicationName, (ULONG)(lpProgram - lpApplicationName), BoxName, L"ForceFolder")) {

--- a/Sandboxie/core/svc/main.cpp
+++ b/Sandboxie/core/svc/main.cpp
@ -533,4 +533,71 @@ bool IsProcessWoW64(HANDLE pid)
 #endif

    return IsWow64;
-}
+}
+
+
+//---------------------------------------------------------------------------
+// IsBoxedPath
+//---------------------------------------------------------------------------
+
+
+bool IsHostPath(HANDLE idProcess, WCHAR* dos_path)
+{
+    bool result = false; // false on failure
+    WCHAR* request_path = NULL;
+    WCHAR* sandbox_path = NULL;
+    ULONG len = 0;
+
+    //
+    // convert the dos path to an nt path
+    //
+
+    if (dos_path[0] == L'\\' && dos_path[1] == L'?' && dos_path[2] == L'?' && dos_path[3] == L'\\')
+        dos_path += 4; // skip L"\\??\\" is present
+
+    request_path = (WCHAR*)HeapAlloc(GetProcessHeap(), 0, (MAX_PATH + wcslen(dos_path)) * sizeof(WCHAR));
+    if (!request_path)
+        goto finish;
+
+    WCHAR save_char = dos_path[2];
+    dos_path[2] = L'\0'; // use X: , replace L'\\' with L'\0'
+    DWORD ret = QueryDosDeviceW(dos_path, request_path, MAX_PATH);
+    dos_path[2] = save_char; // restore L'\\'
+    if (ret == 0)
+        goto finish;
+
+    wcscat(request_path, &dos_path[2]); // combine the paths
+
+    //
+    // get the box file path for the calling process
+    //
+
+    if (!NT_SUCCESS(SbieApi_QueryProcessPath(idProcess, NULL, NULL, NULL, &len, NULL, NULL)))
+        goto finish;
+
+    sandbox_path = (WCHAR*)HeapAlloc(GetProcessHeap(), 0, len + 8 * sizeof(WCHAR));
+    if (!sandbox_path)
+        goto finish;
+
+    if (!NT_SUCCESS(SbieApi_QueryProcessPath(idProcess, sandbox_path, NULL, NULL, &len, NULL, NULL)))
+        goto finish;
+
+    //
+    // make sure the specified path is _NOT_ inside the sandbox
+    //
+
+    ULONG sandbox_path_len = wcslen(sandbox_path);
+    ULONG request_path_len = wcslen(request_path);
+    if (request_path_len <= sandbox_path_len || _wcsnicmp(sandbox_path, request_path, sandbox_path_len) != 0) {
+
+        result = true;
+    }
+
+finish:
+    if (request_path)
+        HeapFree(GetProcessHeap(), 0, request_path);
+    if (sandbox_path)
+        HeapFree(GetProcessHeap(), 0, sandbox_path);
+
+    return result;
+}
--- a/Sandboxie/core/svc/misc.h
+++ b/Sandboxie/core/svc/misc.h
@ -26,6 +26,7 @@ bool RestrictToken(void);
 bool CheckDropRights(const WCHAR *BoxName);

 bool IsProcessWoW64(HANDLE pid);
+bool IsHostPath(HANDLE idProcess, WCHAR* dos_path);

 extern HMODULE _Ntdll;
 extern HMODULE _Kernel32;
--- a/SandboxiePlus/version.h
+++ b/SandboxiePlus/version.h
@ -2,7 +2,7 @@

 #define VERSION_MJR		1
 #define VERSION_MIN 	0
-#define VERSION_REV 	9
+#define VERSION_REV 	10
 #define VERSION_UPD 	0

 #ifndef STR