diff options
author | demon <demon@FreeBSD.org> | 2005-01-25 10:06:05 +0000 |
---|---|---|
committer | demon <demon@FreeBSD.org> | 2005-01-25 10:06:05 +0000 |
commit | 98df1071e48c51921542ddca34d1ddb35b6c6a11 (patch) | |
tree | 8eea56dcc0cc129ba758db6cd363e65700197ead /audio/yamt | |
parent | 91682e8d7befdb6553d6e8eeb90d3fcf302c675e (diff) | |
download | FreeBSD-ports-98df1071e48c51921542ddca34d1ddb35b6c6a11.zip FreeBSD-ports-98df1071e48c51921542ddca34d1ddb35b6c6a11.tar.gz |
Plug security hole.
Submitted by: simon
Diffstat (limited to 'audio/yamt')
-rw-r--r-- | audio/yamt/Makefile | 2 | ||||
-rw-r--r-- | audio/yamt/files/patch-yamt-directory-traversal | 123 |
2 files changed, 124 insertions, 1 deletions
diff --git a/audio/yamt/Makefile b/audio/yamt/Makefile index ed97386..51d9588 100644 --- a/audio/yamt/Makefile +++ b/audio/yamt/Makefile @@ -7,7 +7,7 @@ PORTNAME= yamt PORTVERSION= 0.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio gnome MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} \ ftp://ftp.gpad.ac.ru/pub/FreeBSD/distfiles/ diff --git a/audio/yamt/files/patch-yamt-directory-traversal b/audio/yamt/files/patch-yamt-directory-traversal new file mode 100644 index 0000000..99ec831 --- /dev/null +++ b/audio/yamt/files/patch-yamt-directory-traversal @@ -0,0 +1,123 @@ +--- src/id3tag.c ++++ src/id3tag.c +@@ -389,12 +389,20 @@ + return(1); + } + ++static void id3tag_sanitize (char *string) ++{ ++ while ((string = strchr (string, '/'))) ++ { ++ *string = '_'; ++ } ++} ++ + /* This function renames a file based on its tag in the given format */ + int id3tag_rename( char *filename, char *format ) + { + struct id3tag tag; + struct stat stbuf; +- char target_filename[80]=""; ++ char target_filename[PATH_MAX]=""; + char buffer[10]=""; + char *tmp; + int i; +@@ -425,36 +433,42 @@ + { + case 't': + strcat( target_filename, tag.title); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(tag.title); + i++; + break; + + case 'a': + strcat( target_filename, tag.artist); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(tag.artist); + i++; + break; + + case 'b': + strcat( target_filename, tag.album); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(tag.album); + i++; + break; + + case 'c': + strcat( target_filename, tag.comment); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(tag.comment); + i++; + break; + + case 'y': + strcat( target_filename, tag.year); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(tag.year); + i++; + break; + + case 'g': + strcat( target_filename, id3tag_get_genre(tag.genre)); ++ id3tag_sanitize (target_filename+i2); + i2=i2+strlen(id3tag_get_genre(tag.genre)); + i++; + break; +@@ -521,9 +535,9 @@ + int id3tag_sort( char *filename, char *rootdir, char *format_level1, char *format_level2 ) + { + struct id3tag tag; +- char *dir_level1=NULL; +- char *dir_level2=NULL; +- char target_filename[80]; ++ char *dir_level1=NULL, *dir_level1_sanitized; ++ char *dir_level2=NULL, *dir_level2_sanitized; ++ char source_filename[PATH_MAX], target_filename[PATH_MAX]; + char dir_cur[80]; + + +@@ -554,8 +568,10 @@ + chdir(rootdir); + if( dir_level1[0] == '\0' ) + dir_level1 = "Unknown"; +- yamtlog("%s %s", "New directory: ", dir_level1); +- mkdir( dir_level1, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH ); ++ dir_level1_sanitized = strdup (dir_level1); ++ id3tag_sanitize (dir_level1_sanitized); ++ yamtlog("%s %s", "New directory: ", dir_level1_sanitized); ++ mkdir( dir_level1_sanitized, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH ); + + /* Level 2 */ + if( strcmp( format_level2, "Album") == 0 ) +@@ -573,18 +589,24 @@ + + if( dir_level2[0] == '\0' ) + dir_level2 = "Unknown"; +- yamtlog("%s %s", "New directory: ", dir_level2); ++ dir_level2_sanitized = strdup (dir_level2); ++ id3tag_sanitize (dir_level2_sanitized); ++ yamtlog("%s %s", "New directory: ", dir_level2_sanitized); + + /* Go into the previously created directory */ +- chdir( dir_level1 ); +- mkdir( dir_level2, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH ); ++ chdir( dir_level1_sanitized ); ++ mkdir( dir_level2_sanitized, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH ); + /* Move the file into the new (?) directory */ + +- sprintf( target_filename, "mv \"%s/%s\" \"%s%s/%s/%s\"", dir_cur, filename, rootdir, dir_level1, dir_level2, filename ); ++ snprintf( source_filename, PATH_MAX, "%s/%s", dir_cur, filename ); ++ snprintf( target_filename, PATH_MAX, "%s%s/%s/%s", rootdir, dir_level1_sanitized, dir_level2_sanitized, filename ); ++ ++ free (dir_level1_sanitized); ++ free (dir_level2_sanitized); + + yamtlog("%s %s", "Sorted ", filename ); + +- system( target_filename ); ++ rename( source_filename, target_filename ); + + /* if( (rename( filename, target_filename )) ) */ + /* { */ |