jcs.org
mutt stable branch with some hacks
Compress: safe_fopen() the tempfile, to prevent tempfile attacks.
+17
-5
+17
-5
compress.c
+17
-5
compress.c
···
115
115
*
116
116
* Save the compressed filename in ctx->realpath.
117
117
* Create a temporary filename and put its name in ctx->path.
118
+
* The temporary file is created to prevent symlink attacks.
118
119
*
119
-
* Note: The temporary file is NOT created.
120
+
* Returns:
121
+
* 0: Success
122
+
* -1: Error
120
123
*/
121
-
static void
124
+
static int
122
125
setup_paths (CONTEXT *ctx)
123
126
{
124
127
if (!ctx)
125
-
return;
128
+
return -1;
126
129
127
130
char tmppath[_POSIX_PATH_MAX];
131
+
FILE *tmpfp;
128
132
129
133
/* Setup the right paths */
130
134
FREE(&ctx->realpath);
···
133
137
/* We will uncompress to /tmp */
134
138
mutt_mktemp (tmppath, sizeof (tmppath));
135
139
ctx->path = safe_strdup (tmppath);
140
+
141
+
if ((tmpfp = safe_fopen (ctx->path, "w")) == NULL)
142
+
return -1;
143
+
144
+
safe_fclose (&tmpfp);
145
+
return 0;
136
146
}
137
147
138
148
/**
···
424
434
if (!ci->close || (access (ctx->path, W_OK) != 0))
425
435
ctx->readonly = 1;
426
436
427
-
setup_paths (ctx);
437
+
if (setup_paths (ctx) != 0)
438
+
goto or_fail;
428
439
store_size (ctx);
429
440
430
441
int rc = execute_command (ctx, ci->open, 0, _("Decompressing %s"));
···
489
500
if ((ctx->magic != MUTT_MBOX) && (ctx->magic != MUTT_MMDF))
490
501
goto oa_fail1;
491
502
492
-
setup_paths (ctx);
503
+
if (setup_paths (ctx) != 0)
504
+
goto oa_fail2;
493
505
494
506
ctx->mx_ops = &mx_comp_ops;
495
507
ci->child_ops = mx_get_ops (ctx->magic);