diff options
author | cperciva <cperciva@FreeBSD.org> | 2006-01-11 08:02:16 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2006-01-11 08:02:16 +0000 |
commit | 140c58ca2739ba49a909c87a3c29ebc86724292b (patch) | |
tree | 7a81b7b15e028ef4d566ed7f81e8129a4aa4bf9a /usr.bin/ee | |
parent | 46b45ed528b253ce008188904a0946cd0f9a6372 (diff) | |
download | FreeBSD-src-140c58ca2739ba49a909c87a3c29ebc86724292b.zip FreeBSD-src-140c58ca2739ba49a909c87a3c29ebc86724292b.tar.gz |
Correct insecure temporary file usage in texindex. [06:01]
Correct insecure temporary file usage in ee. [06:02]
Correct a race condition when setting file permissions, sanitize file
names by default, and fix a buffer overflow when handling files
larger than 4GB in cpio. [06:03]
Fix an error in the handling of IP fragments in ipfw which can cause
a kernel panic. [06:04]
Security: FreeBSD-SA-06:01.texindex
Security: FreeBSD-SA-06:02.ee
Security: FreeBSD-SA-06:03.cpio
Security: FreeBSD-SA-06:04.ipfw
Diffstat (limited to 'usr.bin/ee')
-rw-r--r-- | usr.bin/ee/ee.c | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/usr.bin/ee/ee.c b/usr.bin/ee/ee.c index 0284b7f..17ecc31 100644 --- a/usr.bin/ee/ee.c +++ b/usr.bin/ee/ee.c @@ -300,7 +300,7 @@ void finish P_((void)); int quit P_((int noverify)); void edit_abort P_((int arg)); void delete_text P_((void)); -int write_file P_((char *file_name)); +int write_file P_((char *file_name, int warn_if_exists)); int search P_((int display_message)); void search_prompt P_((void)); void del_char P_((void)); @@ -1688,7 +1688,7 @@ char *cmd_str1; cmd_str = cmd_str2 = get_string(file_write_prompt_str, TRUE); } tmp_file = resolve_name(cmd_str); - write_file(tmp_file); + write_file(tmp_file, 1); if (tmp_file != cmd_str) free(tmp_file); } @@ -2395,7 +2395,7 @@ finish() /* prepare to exit edit session */ file_name = tmp_file; } - if (write_file(file_name)) + if (write_file(file_name, 1)) { text_changes = FALSE; quit(0); @@ -2472,8 +2472,9 @@ delete_text() } int -write_file(file_name) +write_file(file_name, warn_if_exists) char *file_name; +int warn_if_exists; { char cr; char *tmp_point; @@ -2483,7 +2484,8 @@ char *file_name; int write_flag = TRUE; charac = lines = 0; - if ((in_file_name == NULL) || strcmp(in_file_name, file_name)) + if (warn_if_exists && + ((in_file_name == NULL) || strcmp(in_file_name, file_name))) { if ((temp_fp = fopen(file_name, "r"))) { @@ -3725,7 +3727,7 @@ int arg; { string = get_string(file_write_prompt_str, TRUE); tmp_file = resolve_name(string); - write_file(tmp_file); + write_file(tmp_file, 1); if (tmp_file != string) free(tmp_file); free(string); @@ -3762,7 +3764,7 @@ int arg; string = tmp_file; } } - if (write_file(string)) + if (write_file(string, 1)) { in_file_name = string; text_changes = FALSE; @@ -4375,17 +4377,25 @@ spell_op() /* check spelling of words in the editor */ void ispell_op() { - char name[128]; + char template[128], *name; char string[256]; - int pid; + int fd; if (restrict_mode()) { return; } - pid = getpid(); - sprintf(name, "/tmp/ee.%d", pid); - if (write_file(name)) + (void)sprintf(template, "/tmp/ee.XXXXXXXX"); + name = mktemp(&template[0]); + fd = open(name, O_CREAT | O_EXCL | O_RDWR, 0600); + if (fd < 0) { + wmove(com_win, 0, 0); + wprintw(com_win, create_file_fail_msg, name); + wrefresh(com_win); + return; + } + close(fd); + if (write_file(name, 0)) { sprintf(string, "ispell %s", name); sh_command(string); |