To: vim-dev@vim.org Subject: Patch 6.2.507 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit ------------ Patch 6.2.507 Problem: The ownership of the file with the password for the NetBeans connection is not checked. "-nb={file}" doesn't work for GTK. Solution: Only accept the file when owned by the user and not accessible by others. Detect "-nb=" for GTK. Files: src/netbeans.c, src/gui_gtk_x11.c *** ../vim-6.2.506/src/netbeans.c Sat Apr 17 21:14:10 2004 --- src/netbeans.c Tue Apr 27 18:16:51 2004 *************** *** 70,76 **** static long get_buf_size __ARGS((buf_T *)); static void netbeans_connect __ARGS((void)); ! static void getConnInfo __ARGS((char *file, char **host, char **port, char **password)); static void nb_init_graphics __ARGS((void)); static void coloncmd __ARGS((char *cmd, ...)); --- 70,76 ---- static long get_buf_size __ARGS((buf_T *)); static void netbeans_connect __ARGS((void)); ! static int getConnInfo __ARGS((char *file, char **host, char **port, char **password)); static void nb_init_graphics __ARGS((void)); static void coloncmd __ARGS((char *cmd, ...)); *************** *** 247,262 **** char *arg = NULL; if (netbeansArg[3] == '=') /* "-nb=fname": Read info from specified file. */ ! getConnInfo(netbeansArg + 4, &hostname, &address, &password); else { if (netbeansArg[3] == ':') /* "-nb:::": get info from argument */ arg = netbeansArg + 4; if (arg == NULL && (fname = getenv("__NETBEANS_CONINFO")) != NULL) /* "-nb": get info from file specified in environment */ ! getConnInfo(fname, &hostname, &address, &password); else { if (arg != NULL) --- 247,269 ---- char *arg = NULL; if (netbeansArg[3] == '=') + { /* "-nb=fname": Read info from specified file. */ ! if (getConnInfo(netbeansArg + 4, &hostname, &address, &password) ! == FAIL) ! return; ! } else { if (netbeansArg[3] == ':') /* "-nb:::": get info from argument */ arg = netbeansArg + 4; if (arg == NULL && (fname = getenv("__NETBEANS_CONINFO")) != NULL) + { /* "-nb": get info from file specified in environment */ ! if (getConnInfo(fname, &hostname, &address, &password) == FAIL) ! return; ! } else { if (arg != NULL) *************** *** 326,335 **** server.sin_port = htons(port); if ((host = gethostbyname(hostname)) == NULL) { ! if (access(hostname, R_OK) >= 0) { /* DEBUG: input file */ ! sd = open(hostname, O_RDONLY); goto theend; } PERROR("gethostbyname() in netbeans_connect()"); --- 333,342 ---- server.sin_port = htons(port); if ((host = gethostbyname(hostname)) == NULL) { ! if (mch_access(hostname, R_OK) >= 0) { /* DEBUG: input file */ ! sd = mch_open(hostname, O_RDONLY, 0); goto theend; } PERROR("gethostbyname() in netbeans_connect()"); *************** *** 421,463 **** /* * Obtain the NetBeans hostname, port address and password from a file. * Return the strings in allocated memory. */ ! static void getConnInfo(char *file, char **host, char **port, char **auth) { ! FILE *fp = mch_fopen(file, "r"); char_u buf[BUFSIZ]; char_u *lp; char_u *nl; if (fp == NULL) PERROR("E660: Cannot open NetBeans connection info file"); ! else { ! /* Read the file. There should be one of each parameter */ ! while ((lp = (char_u *)fgets((char *)buf, BUFSIZ, fp)) != NULL) ! { ! if ((nl = vim_strchr(lp, '\n')) != NULL) ! *nl = 0; /* strip off the trailing newline */ ! if (STRNCMP(lp, "host=", 5) == 0) ! { ! vim_free(*host); ! *host = (char *)vim_strsave(&buf[5]); ! } ! else if (STRNCMP(lp, "port=", 5) == 0) ! { ! vim_free(*port); ! *port = (char *)vim_strsave(&buf[5]); ! } ! else if (STRNCMP(lp, "auth=", 5) == 0) ! { ! vim_free(*auth); ! *auth = (char *)vim_strsave(&buf[5]); ! } } - fclose(fp); } } --- 428,491 ---- /* * Obtain the NetBeans hostname, port address and password from a file. * Return the strings in allocated memory. + * Return FAIL if the file could not be read, OK otherwise (no matter what it + * contains). */ ! static int getConnInfo(char *file, char **host, char **port, char **auth) { ! FILE *fp; char_u buf[BUFSIZ]; char_u *lp; char_u *nl; + #ifdef UNIX + struct stat st; + /* + * For Unix only accept the file when it's owned by the current user and + * not accessible by others. + */ + if (mch_stat(file, &st) == 0 + && (st.st_uid != getuid() || (st.st_mode & 0077))) + { + EMSG2(_("E668: Ownership of NetBeans connection file invalid: \"%s\""), + file); + return FAIL; + } + #endif + + fp = mch_fopen(file, "r"); if (fp == NULL) + { PERROR("E660: Cannot open NetBeans connection info file"); ! return FAIL; ! } ! ! /* Read the file. There should be one of each parameter */ ! while ((lp = (char_u *)fgets((char *)buf, BUFSIZ, fp)) != NULL) { ! if ((nl = vim_strchr(lp, '\n')) != NULL) ! *nl = 0; /* strip off the trailing newline */ ! if (STRNCMP(lp, "host=", 5) == 0) ! { ! vim_free(*host); ! *host = (char *)vim_strsave(&buf[5]); ! } ! else if (STRNCMP(lp, "port=", 5) == 0) ! { ! vim_free(*port); ! *port = (char *)vim_strsave(&buf[5]); ! } ! else if (STRNCMP(lp, "auth=", 5) == 0) ! { ! vim_free(*auth); ! *auth = (char *)vim_strsave(&buf[5]); } } + fclose(fp); + + return OK; } *************** *** 578,584 **** if (file == NULL) outfd = -3; else ! outfd = open(file, O_WRONLY|O_CREAT|O_TRUNC, 0666); } if (outfd >= 0) --- 606,612 ---- if (file == NULL) outfd = -3; else ! outfd = mch_open(file, O_WRONLY|O_CREAT|O_TRUNC, 0666); } if (outfd >= 0) *** ../vim-6.2.506/src/gui_gtk_x11.c Mon Apr 5 20:28:39 2004 --- src/gui_gtk_x11.c Tue Apr 27 18:00:59 2004 *************** *** 480,486 **** break; #ifdef FEAT_NETBEANS_INTG /* darn, -nb has non-standard syntax */ ! if (argv[i][len] == ':' && (option->flags & ARG_INDEX_MASK) == ARG_NETBEANS) break; #endif --- 480,486 ---- break; #ifdef FEAT_NETBEANS_INTG /* darn, -nb has non-standard syntax */ ! if (vim_strchr(":=", argv[i][len]) != NULL && (option->flags & ARG_INDEX_MASK) == ARG_NETBEANS) break; #endif *** ../vim-6.2.506/src/version.c Tue Apr 27 16:27:09 2004 --- src/version.c Tue Apr 27 21:38:31 2004 *************** *** 639,640 **** --- 639,642 ---- { /* Add new patch number below this line */ + /**/ + 507, /**/ -- Despite the cost of living, have you noticed how it remains so popular? /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ Project leader for A-A-P -- http://www.A-A-P.org /// \\\ Buy at Amazon and help AIDS victims -- http://ICCF.nl/click1.html ///