diff options
author | Thomas Roessler <roessler@does-not-exist.org> | 2004-04-12 21:43:32 +0000 |
---|---|---|
committer | Thomas Roessler <roessler@does-not-exist.org> | 2004-04-12 21:43:32 +0000 |
commit | 5859741bece077e8d758a9226f365e6d573db044 (patch) | |
tree | 6718a17e723cd0d900a0031a9f0fe8829a57d252 | |
parent | 3561c82e22b42b3b099453ff3bb05eb43ba691bf (diff) |
Don't open a file for writing that we have unlinked before. Reported
embarassingly long ago by Jarno Huuskonen <Jarno.Huuskonen@uku.fi>.
-rw-r--r-- | attach.c | 13 | ||||
-rw-r--r-- | lib.c | 14 |
2 files changed, 23 insertions, 4 deletions
@@ -108,7 +108,8 @@ int mutt_compose_attachment (BODY *a) if (mutt_yesorno (_("Can't match nametemplate, continue?"), M_YES) != M_YES) goto bailout; } - unlink_newfile = 1; + else + unlink_newfile = 1; } else strfcpy(newfile, a->filename, sizeof(newfile)); @@ -173,7 +174,11 @@ int mutt_compose_attachment (BODY *a) fclose (fp); fclose (tfp); mutt_unlink (a->filename); - mutt_rename_file (tempfile, a->filename); + if (mutt_rename_file (tempfile, a->filename) != 0) + { + mutt_perror _("Failure to rename file."); + goto bailout; + } mutt_free_body (&b); } @@ -235,7 +240,8 @@ int mutt_edit_attachment (BODY *a) if (mutt_yesorno (_("Can't match nametemplate, continue?"), M_YES) != M_YES) goto bailout; } - unlink_newfile = 1; + else + unlink_newfile = 1; } else strfcpy(newfile, a->filename, sizeof(newfile)); @@ -607,6 +613,7 @@ int mutt_view_attachment (FILE *fp, BODY *a, int flag, HEADER *hdr, rc = mutt_do_pager (descrip, pagerfile, M_PAGER_ATTACHMENT | (is_message ? M_PAGER_MESSAGE : 0), &info); + *pagerfile = '\0'; } else rc = 0; @@ -181,13 +181,25 @@ char *mutt_strlower (char *s) void mutt_unlink (const char *s) { + int fd; + int flags; FILE *f; struct stat sb; char buf[2048]; + + /* Defend against symlink attacks */ + +#ifdef O_NOFOLLOW + flags = O_RDWR | O_NOFOLLOW; +#else + flags = O_RDWR; +#endif if (stat (s, &sb) == 0) { - if ((f = fopen (s, "r+"))) + if ((fd = open (s, flags)) < 0) + return; + if ((f = fdopen (fd, "r+"))) { unlink (s); memset (buf, 0, sizeof (buf)); |