tree-wide: add basic validation of --background argument

Check whether the argument of the `--background` option of
`systemd-run`, `run0`, `systemd-nspawn`, `systemd-vmspawn`, and
`systemd-pty-forward` is either empty or looks like an ANSI color code,
and reject invalid values when parsing arguments.

We consider a string to look like an ANSI color code if it consists of
one or more sequences of ASCII digits separated by semicolons. This
permits every valid ANSI color code, and should reject anything that
results in garbled output.

rules.d/60-block.rules

@@ -13,4 +13,4 @@ ACTION!="remove", SUBSYSTEM=="block", \
   OPTIONS+="watch"
 
 # Reset access rights to each loopback device once it gets detached.
-SUBSYSTEM=="block", ACTION=="change", ENV{DISK_MEDIA_CHANGE}=="1", TEST!="loop/backing_file", GROUP="disk", MODE="660"
+ACTION=="change", SUBSYSTEM=="block", KERNEL=="loop*", ENV{DISK_MEDIA_CHANGE}=="1", TEST!="loop/backing_file", GROUP="disk", MODE="660"

src/basic/ansi-color.c

@@ -100,3 +100,28 @@ static const char* const color_mode_table[_COLOR_MODE_MAX] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(color_mode, ColorMode, COLOR_24BIT);
+
+/*
+ * Check that the string is formatted like an ANSI color code, i.e. that it consists of one or more
+ * sequences of ASCII digits separated by semicolons. This is equivalent to matching the regex:
+ *      ^[0-9]+(;[0-9]+)*$
+ * This can be used to partially validate escape codes of the form "\x1B[%sm", accepting all valid
+ * ANSI color codes while rejecting anything that would result in garbled output (such as injecting
+ * text or changing the type of escape code).
+ */
+bool looks_like_ansi_color_code(const char *str) {
+        assert(str);
+
+        bool prev_char_was_digit = false;
+
+        for (char c = *str; c != '\0'; c = *(++str)) {
+                if (ascii_isdigit(c))
+                        prev_char_was_digit = true;
+                else if (prev_char_was_digit && c == ';')
+                        prev_char_was_digit = false;
+                else
+                        return false;
+        }
+
+        return prev_char_was_digit;
+}

src/basic/ansi-color.h

@@ -28,6 +28,8 @@ bool underline_enabled(void);
 
 void reset_ansi_feature_caches(void);
 
+bool looks_like_ansi_color_code(const char *str);
+
 /* Regular colors */
 #define ANSI_BLACK   "\x1B[0;30m" /* Some type of grey usually. */
 #define ANSI_RED     "\x1B[0;31m"

src/nspawn/nspawn.c

@@ -1529,7 +1529,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_BACKGROUND:
-                        r = free_and_strdup_warn(&arg_background, optarg);
+                        r = parse_background_argument(optarg, &arg_background);
                         if (r < 0)
                                 return r;
                         break;

src/ptyfwd/ptyfwd-tool.c

@@ -9,6 +9,7 @@
 #include "fd-util.h"
 #include "log.h"
 #include "main-func.h"
+#include "parse-argument.h"
 #include "pidref.h"
 #include "pretty-print.h"
 #include "process-util.h"
@@ -96,7 +97,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_BACKGROUND:
-                        r = free_and_strdup_warn(&arg_background, optarg);
+                        r = parse_background_argument(optarg, &arg_background);
                         if (r < 0)
                                 return r;
                         break;

src/run/run.c

@@ -686,7 +686,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_BACKGROUND:
-                        r = free_and_strdup_warn(&arg_background, optarg);
+                        r = parse_background_argument(optarg, &arg_background);
                         if (r < 0)
                                 return r;
                         break;
@@ -978,7 +978,7 @@ static int parse_argv_sudo_mode(int argc, char *argv[]) {
                         break;
 
                 case ARG_BACKGROUND:
-                        r = free_and_strdup_warn(&arg_background, optarg);
+                        r = parse_background_argument(optarg, &arg_background);
                         if (r < 0)
                                 return r;
 

src/shared/parse-argument.c

@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "alloc-util.h"
+#include "ansi-color.h"
 #include "bus-util.h"
 #include "format-table.h"
 #include "hostname-util.h"
@@ -163,3 +164,10 @@ int parse_machine_argument(const char *s, const char **ret_host, BusTransport *r
 
         return 0;
 }
+
+int parse_background_argument(const char *s, char **arg) {
+        if (!isempty(s) && !looks_like_ansi_color_code(s))
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid --background= argument: %s", s);
+
+        return free_and_strdup_warn(arg, s);
+}

src/shared/parse-argument.h

@@ -9,3 +9,4 @@ int parse_json_argument(const char *s, sd_json_format_flags_t *ret);
 int parse_path_argument(const char *path, bool suppress_root, char **arg);
 int parse_signal_argument(const char *s, int *ret);
 int parse_machine_argument(const char *s, const char **ret_host, BusTransport *ret_transport);
+int parse_background_argument(const char *s, char **arg);

src/test/test-parse-argument.c

@@ -54,4 +54,37 @@ TEST(parse_signal_argument) {
         assert_se(signal == SIGABRT);
 }
 
+TEST(parse_background_argument) {
+        _cleanup_free_ char *arg_bg_good = NULL;
+
+        /* Should accept empty string */
+        assert_se(parse_background_argument("", &arg_bg_good) >= 0);
+        ASSERT_STREQ(arg_bg_good, "");
+
+        /* Should accept ANSI color codes in palette, 8-bit, or 24-bit format */
+        assert_se(parse_background_argument("42", &arg_bg_good) >= 0);
+        ASSERT_STREQ(arg_bg_good, "42");
+
+        assert_se(parse_background_argument("48;5;219", &arg_bg_good) >= 0);
+        ASSERT_STREQ(arg_bg_good, "48;5;219");
+
+        assert_se(parse_background_argument("48;2;3;141;59", &arg_bg_good) >= 0);
+        ASSERT_STREQ(arg_bg_good, "48;2;3;141;59");
+
+        _cleanup_free_ char *arg_bg_bad = NULL;
+
+        /* Should reject various invalid arguments */
+        assert_se(parse_background_argument("42;", &arg_bg_bad) < 0);
+        ASSERT_NULL(arg_bg_bad);
+
+        assert_se(parse_background_argument(";42", &arg_bg_bad) < 0);
+        ASSERT_NULL(arg_bg_bad);
+
+        assert_se(parse_background_argument("4;;2", &arg_bg_bad) < 0);
+        ASSERT_NULL(arg_bg_bad);
+
+        assert_se(parse_background_argument("4a2", &arg_bg_bad) < 0);
+        ASSERT_NULL(arg_bg_bad);
+}
+
 DEFINE_TEST_MAIN(LOG_INFO);

src/vmspawn/vmspawn.c

@@ -612,7 +612,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_BACKGROUND:
-                        r = free_and_strdup_warn(&arg_background, optarg);
+                        r = parse_background_argument(optarg, &arg_background);
                         if (r < 0)
                                 return r;
                         break;