- files.c:
write_file()
- Unsetting modified on temp files bug fixed (Rocco Corsi).
- - Okay, if tmp == 1 and the file is a symlink the user doesn't
- own, we return -1.
+ - Okay, if tmp == 1 and the file exists, we abort.
do_insertfile()
- Added call to real_name_from tilde, oops. Added check for
DISABLE_TABCOMP.
die()
- Now creates .save file using variable-length strings. Also
calls write_file with tmp == 1, which happens to do exactly what
- we want (abort on save file is a symlink and use mode 0600).
+ we want (abort on save file exists and use mode 0600).
handle_sighup()
- Now calls die instead of writing on its own and exiting normally.
- search.c:
realname = mallocstrcpy(realname, name);
#endif
-
/* Save the state of file at the end of the symlink */
realexists = stat(realname, &st);
cause unexpected behavior */
lstat(realname, &st);
- /* New case: if it's a symlink and tmp is set AND the user does not
- own the symlink, abort. It could be a symlink attack */
- if (tmp && S_ISLNK(st.st_mode) && getuid() != st.st_uid)
+ /* New case: if the file exists, just give up. Easy way out of
+ all security issues */
+ if (tmp && realexists != -1)
return -1;
else if (ISSET(FOLLOW_SYMLINKS) || !S_ISLNK(st.st_mode)) {
} else {
/* Use permissions from file we are overwriting. */
mask = st.st_mode;
- if (!tmp && unlink(realname) == -1) {
+ if (unlink(realname) == -1) {
if (errno != ENOENT) {
statusbar(_("Could not open %s for writing: %s"),
realname, strerror(errno));
if (i != -1)
fprintf(stderr, _("\nBuffer written to %s\n"), name);
else
- fprintf(stderr, _("\nNo .save file written (symlink encountered?)\n"));
+ fprintf(stderr, _("\nNo .save file written (file exists?)\n"));
exit(1); /* We have a problem: exit w/ errorlevel(1) */
}