From 10358a9ba68bba355bf7ba08c11715b7c26ecfc6 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Fri, 26 Jan 2018 01:03:53 +0900
Subject: Make temporary directory safely when ~/.w3m is unwritable

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097 [CVE-2018-6198]
---
 main.c | 5 +++++
 rc.c   | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/main.c b/main.c
index 85b0003..b99928c 100644
--- a/main.c
+++ b/main.c
@@ -5972,6 +5972,11 @@ w3m_exit(int i)
 #ifdef __MINGW32_VERSION
     WSACleanup();
 #endif
+    if (no_rc_dir && tmp_dir != rc_dir)
+	if (rmdir(tmp_dir) != 0) {
+	    fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir);
+	    exit(1);
+	}
     exit(i);
 }
 
diff --git a/rc.c b/rc.c
index 7de87b8..428241c 100644
--- a/rc.c
+++ b/rc.c
@@ -1330,6 +1330,9 @@ init_rc(void)
 	((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') &&
 	((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0'))
 	tmp_dir = "/tmp";
+    tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr);
+    if (tmp_dir == NULL)
+	tmp_dir = rc_dir;
     create_option_search_table();
     goto open_rc;
 }
-- 
cgit v1.2.3