Fix insecure tempfile usage in ee, see FreeBSD-SA-06:02.ee
authorSimon Schubert <corecode@dragonflybsd.org>
Sun, 15 Jan 2006 00:07:31 +0000 (00:07 +0000)
committerSimon Schubert <corecode@dragonflybsd.org>
Sun, 15 Jan 2006 00:07:31 +0000 (00:07 +0000)
usr.bin/ee/ee.c

index f55df96..dc5d3cf 100644 (file)
@@ -50,7 +50,7 @@
  |     copyright.  All rights are reserved.
  *
  * $FreeBSD: src/usr.bin/ee/ee.c,v 1.16.2.6 2002/05/11 16:33:06 mp Exp $
- * $DragonFly: src/usr.bin/ee/ee.c,v 1.3 2003/10/04 20:36:43 hmp Exp $
+ * $DragonFly: src/usr.bin/ee/ee.c,v 1.4 2006/01/15 00:07:31 corecode Exp $
  */
 
 char *ee_copyright_message = 
@@ -300,7 +300,7 @@ void finish P_((void));
 int quit P_((int noverify));
 void edit_abort P_((int arg));
 void delete_text P_((void));
-int write_file P_((char *file_name));
+int write_file P_((char *file_name, int warn_if_exists));
 int search P_((int display_message));
 void search_prompt P_((void));
 void del_char P_((void));
@@ -1685,7 +1685,7 @@ command(char *cmd_str1)           /* process commands from keyboard       */
                        cmd_str = cmd_str2 = get_string(file_write_prompt_str, TRUE);
                }
                tmp_file = resolve_name(cmd_str);
-               write_file(tmp_file);
+               write_file(tmp_file, 1);
                if (tmp_file != cmd_str)
                        free(tmp_file);
        }
@@ -2380,7 +2380,7 @@ finish(void)      /* prepare to exit edit session */
                file_name = tmp_file;
        }
 
-       if (write_file(file_name))
+       if (write_file(file_name, 1))
        {
                text_changes = FALSE;
                quit(0);
@@ -2455,7 +2455,7 @@ delete_text(void)
 }
 
 int 
-write_file(char *file_name)
+write_file(char *file_name, int warn_if_exists)
 {
        char cr;
        char *tmp_point;
@@ -2465,7 +2465,8 @@ write_file(char *file_name)
        int write_flag = TRUE;
 
        charac = lines = 0;
-       if ((in_file_name == NULL) || strcmp(in_file_name, file_name))
+       if (warn_if_exists &&
+           ((in_file_name == NULL) || strcmp(in_file_name, file_name)))
        {
                if ((temp_fp = fopen(file_name, "r")))
                {
@@ -3699,7 +3700,7 @@ file_op(int arg)
        {
                string = get_string(file_write_prompt_str, TRUE);
                tmp_file = resolve_name(string);
-               write_file(tmp_file);
+               write_file(tmp_file, 1);
                if (tmp_file != string)
                        free(tmp_file);
                free(string);
@@ -3736,7 +3737,7 @@ file_op(int arg)
                                string = tmp_file;
                        }
                }
-               if (write_file(string))
+               if (write_file(string, 1))
                {
                        in_file_name = string;
                        text_changes = FALSE;
@@ -4348,17 +4349,25 @@ spell_op(void)  /* check spelling of words in the editor        */
 void 
 ispell_op(void)
 {
-       char name[128];
+       char template[128], *name;
        char string[256];
-       int pid;
+       int fd;
 
        if (restrict_mode())
        {
                return;
        }
-       pid = getpid();
-       sprintf(name, "/tmp/ee.%d", pid);
-       if (write_file(name))
+       (void)sprintf(template, "/tmp/ee.XXXXXXXX");
+       name = mktemp(&template[0]);
+       fd = open(name, O_CREAT | O_EXCL | O_RDWR, 0600);
+       if (fd < 0) {
+               wmove(com_win, 0, 0);
+               wprintw(com_win, create_file_fail_msg, name);
+               wrefresh(com_win);
+               return;
+       }
+       close(fd);
+       if (write_file(name, 0))
        {
                sprintf(string, "ispell %s", name);
                sh_command(string);