To: vim-dev@vim.org Subject: Patch 6.2.445 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit ------------ Patch 6.2.445 Problem: Copying vimtutor to /tmp/something is not secure, a symlink may cause trouble. Solution: Create a directory and create the file in it. Use "umask" to create the directory with mode 700. (Stefan Nordhausen) Files: src/vimtutor *** ../vim-6.2.444/src/vimtutor Wed Mar 13 10:04:11 2002 --- src/vimtutor Sun Apr 4 16:20:16 2004 *************** *** 10,22 **** xx=$1 export xx ! # Use Vim to copy the tutor, it knows the value of $VIMRUNTIME tmp="${TMPDIR-/tmp}" ! TUTORCOPY=`mktemp $tmp/tutorXXXXXX || tempfile -p tutor || echo $tmp/tutor$$` export TUTORCOPY # remove the copy of the tutor on exit ! trap "rm -f $TUTORCOPY" 0 1 2 3 9 11 13 15 # Vim could be called "vim" or "vi". Also check for "vim6", for people who # have Vim 5.x installed as "vim" and Vim 6.0 as "vim6". --- 10,43 ---- xx=$1 export xx ! # We need a temp file for the copy. First try using a standard command. tmp="${TMPDIR-/tmp}" ! TUTORCOPY=`mktemp $tmp/tutorXXXXXX || tempfile -p tutor || echo none` ! ! # If the standard commands failed then create a directory to put the copy in. ! # That is a secure way to make a temp file. ! if test "$TUTORCOPY" = none; then ! tmpdir=$tmp/vimtutor$$ ! OLD_UMASK=`umask` ! umask 077 ! getout=no ! mkdir $tmpdir || getout=yes ! umask $OLD_UMASK ! if test $getout = yes; then ! echo "Could not create directory for tutor copy, exiting." ! exit 1 ! fi ! TUTORCOPY=$tmpdir/tutorcopy ! touch $TUTORCOPY ! TODELETE=$tmpdir ! else ! TODELETE=$TUTORCOPY ! fi ! export TUTORCOPY # remove the copy of the tutor on exit ! trap "rm -rf $TODELETE" 0 1 2 3 9 11 13 15 # Vim could be called "vim" or "vi". Also check for "vim6", for people who # have Vim 5.x installed as "vim" and Vim 6.0 as "vim6". *************** *** 32,37 **** --- 53,59 ---- fi fi + # Use Vim to copy the tutor, it knows the value of $VIMRUNTIME # The script tutor.vim tells Vim which file to copy $VIM -u NONE -c 'so $VIMRUNTIME/tutor/tutor.vim' *** ../vim-6.2.444/src/version.c Sun Apr 4 15:39:18 2004 --- src/version.c Sun Apr 4 16:18:21 2004 *************** *** 639,640 **** --- 639,642 ---- { /* Add new patch number below this line */ + /**/ + 445, /**/ -- hundred-and-one symptoms of being an internet addict: 266. You hear most of your jokes via e-mail instead of in person. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ Project leader for A-A-P -- http://www.A-A-P.org /// \\\ Buy at Amazon and help AIDS victims -- http://ICCF.nl/click1.html ///