[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fw: [Groff] Bug#56702: [PATCH] security bugfix for grohtml
|
From: |
Gaius Mulley |
|
Subject: |
Re: Fw: [Groff] Bug#56702: [PATCH] security bugfix for grohtml |
|
Date: |
Mon, 7 Feb 2000 15:10:24 +0000 (GMT) |
Werner writes:
> can you take care of the grohtml related fixes of this bug report? I
> would prefer if you could handle this...
sure ok, here is Colin's fix with a couple of extra mods.
cheers Gaius
--- groff-cvs/src/devices/grohtml/html.cc Sun Feb 6 09:37:40 2000
+++ groff-html/src/devices/grohtml/html.cc Mon Feb 7 14:57:16 2000
@@ -35,6 +35,9 @@
#include <unistd.h>
#endif
+#include <stdio.h>
+#include <fcntl.h>
+
#include "ordered_list.h"
#if !defined(TRUE)
@@ -1547,8 +1550,11 @@
void html_printer::make_new_image_name (void)
{
image_number++;
- if ((strcmp(current_filename, "<standard input>") == 0) ||
- (strcmp(current_filename, "-") == 0)) {
+
+ if ((current_filename == 0) ||
+ (strcmp(current_filename, "<standard input>") == 0) ||
+ (strcmp(current_filename, "-") == 0) ||
+ (strchr(current_filename, '/') != 0)) {
sprintf(image_name, "grohtml-%d-%ld", image_number, (long)getpid());
} else {
sprintf(image_name, "%s-%d-%ld", current_filename, image_number,
(long)getpid());
@@ -2402,18 +2408,27 @@
return( (g->minv < t->minv) || ((g->minv == t->minv) && (g->minh < t->minh))
);
}
-static FILE *create_file (char *filename)
+/*
+ * create_tmp_file - opens a filename in /tmp carefully checking for failure
+ * otherwise security could be circumvented.
+ */
+
+static FILE *create_tmp_file (char *filename)
{
FILE *f;
+ int fd;
errno = 0;
- f = fopen(filename, "w");
+ /* This file is in /tmp, so open carefully */
+ fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ if (fd < 0) {
+ fatal("can't create `%1'", filename);
+ }
+ f = fdopen(fd, "w");
if (f == 0) {
- error("can't create `%1'", filename);
- return( 0 );
- } else {
- return( f );
+ fatal("can't create `%1'", filename);
}
+ return( f );
}
void html_printer::convert_to_image (char *name)
@@ -2490,7 +2505,7 @@
if (! is_to_html) {
is_center = html_position_region();
create_temp_name(name, "troff");
- f = create_file(name);
+ f = create_tmp_file(name);
troff.set_file(f);
prologue();
output_style.f = 0;
--- groff-cvs/src/devices/grohtml/ChangeLog Sun Feb 6 09:37:28 2000
+++ groff-html/src/devices/grohtml/ChangeLog Mon Feb 7 14:57:24 2000
@@ -1,3 +1,12 @@
+2000-02-07 Gaius Mulley <address@hidden>
+
+ * html.cc: tidied up html.cc and fixed name of image if
+ the source file is in a different directory.
+
+2000-02-07 Colin Phipps <address@hidden>
+
+ * html.cc: identified & fixed security bug when creating files in /tmp
+
2000-01-28 Gaius Mulley <address@hidden>
* html.cc: Minor fixes.
- Re: Fw: [Groff] Bug#56702: [PATCH] security bugfix for grohtml,
Gaius Mulley <=