From 2d2b76aeb17b0d6b67eca2d1ed370fec68a8f9d9 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 13 Nov 2016 20:02:35 -0800
Subject: Compress: safe_fopen() the tempfile, to prevent tempfile attacks.

---
 compress.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'compress.c')

diff --git a/compress.c b/compress.c
index 0e647cbf..a588a0c7 100644
--- a/compress.c
+++ b/compress.c
@@ -115,16 +115,20 @@ unlock_mailbox (CONTEXT *ctx, FILE *fp)
  *
  * Save the compressed filename in ctx->realpath.
  * Create a temporary filename and put its name in ctx->path.
+ * The temporary file is created to prevent symlink attacks.
  *
- * Note: The temporary file is NOT created.
+ * Returns:
+ *      0: Success
+ *      -1: Error
  */
-static void
+static int
 setup_paths (CONTEXT *ctx)
 {
   if (!ctx)
-    return;
+    return -1;
 
   char tmppath[_POSIX_PATH_MAX];
+  FILE *tmpfp;
 
   /* Setup the right paths */
   FREE(&ctx->realpath);
@@ -133,6 +137,12 @@ setup_paths (CONTEXT *ctx)
   /* We will uncompress to /tmp */
   mutt_mktemp (tmppath, sizeof (tmppath));
   ctx->path = safe_strdup (tmppath);
+
+  if ((tmpfp = safe_fopen (ctx->path, "w")) == NULL)
+    return -1;
+
+  safe_fclose (&tmpfp);
+  return 0;
 }
 
 /**
@@ -424,7 +434,8 @@ open_mailbox (CONTEXT *ctx)
   if (!ci->close || (access (ctx->path, W_OK) != 0))
     ctx->readonly = 1;
 
-  setup_paths (ctx);
+  if (setup_paths (ctx) != 0)
+    goto or_fail;
   store_size (ctx);
 
   int rc = execute_command (ctx, ci->open, 0, _("Decompressing %s"));
@@ -489,7 +500,8 @@ open_append_mailbox (CONTEXT *ctx, int flags)
   if ((ctx->magic != MUTT_MBOX) && (ctx->magic != MUTT_MMDF))
     goto oa_fail1;
 
-  setup_paths (ctx);
+  if (setup_paths (ctx) != 0)
+    goto oa_fail2;
 
   ctx->mx_ops = &mx_comp_ops;
   ci->child_ops = mx_get_ops (ctx->magic);
-- 
cgit v1.2.3