diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2018-01-25 16:03:53 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2018-01-26 09:40:18 +0000 |
commit | 10358a9ba68bba355bf7ba08c11715b7c26ecfc6 (patch) | |
tree | de41f813f112776a36938567fc9890054ac82ece | |
parent | Prevent invalid columnPos() call in formUpdateBuffer() (diff) | |
download | w3m-10358a9ba68bba355bf7ba08c11715b7c26ecfc6.tar.gz w3m-10358a9ba68bba355bf7ba08c11715b7c26ecfc6.zip |
Make temporary directory safely when ~/.w3m is unwritablev0.5.3+git20170102+deb9u1master-stretch
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097 [CVE-2018-6198]
-rw-r--r-- | main.c | 5 | ||||
-rw-r--r-- | rc.c | 3 |
2 files changed, 8 insertions, 0 deletions
@@ -5972,6 +5972,11 @@ w3m_exit(int i) #ifdef __MINGW32_VERSION WSACleanup(); #endif + if (no_rc_dir && tmp_dir != rc_dir) + if (rmdir(tmp_dir) != 0) { + fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir); + exit(1); + } exit(i); } @@ -1330,6 +1330,9 @@ init_rc(void) ((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') && ((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0')) tmp_dir = "/tmp"; + tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr); + if (tmp_dir == NULL) + tmp_dir = rc_dir; create_option_search_table(); goto open_rc; } |