Subject: Make temporary directory safely when ~/.w3m is unwritable
From: Tatsuya Kinoshita <tats@debian.org>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097 [CVE-2018-6198]
Origin: https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753

diff --git a/main.c b/main.c
index 85b0003..b99928c 100644
--- a/main.c
+++ b/main.c
@@ -5972,6 +5972,11 @@ w3m_exit(int i)
 #ifdef __MINGW32_VERSION
     WSACleanup();
 #endif
+    if (no_rc_dir && tmp_dir != rc_dir)
+	if (rmdir(tmp_dir) != 0) {
+	    fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir);
+	    exit(1);
+	}
     exit(i);
 }
 
diff --git a/rc.c b/rc.c
index 7de87b8..428241c 100644
--- a/rc.c
+++ b/rc.c
@@ -1330,6 +1330,9 @@ init_rc(void)
 	((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') &&
 	((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0'))
 	tmp_dir = "/tmp";
+    tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr);
+    if (tmp_dir == NULL)
+	tmp_dir = rc_dir;
     create_option_search_table();
     goto open_rc;
 }