Ticket #25: abuse-0.7.1.158-security.patch
File abuse-0.7.1.158-security.patch, 3.6 KB (added by , 15 years ago) |
---|
-
src/cache.cpp
678 678 char *prefix="c:\\"; 679 679 #else 680 680 char const *prefix = "/tmp/"; // for UNIX store lisp cache in tmp dir 681 int flags = O_CREAT | O_ RDWR;681 int flags = O_CREAT | O_EXCL | O_RDWR; 682 682 #endif 683 683 684 // drop privileges prior to creating file. 685 uid_t euid; 686 gid_t egid; 687 euid = geteuid(); 688 egid = getegid(); 689 690 if(setgid(getgid()) != 0 || setuid(getuid()) != 0) { 691 printf("Error : can not drop privileges"); 692 return; 693 } 694 684 695 int cfail = 1, num = 0; 685 696 do 686 697 { … … 704 715 705 716 } while (cfail && num<15); 706 717 718 setuid(euid); 719 setgid(egid); 720 707 721 if (cfail) 708 722 { 709 723 fprintf(stderr,"Error : Unable to open cache file for compiled code.\n" -
src/dev.cpp
866 866 else if (!strcmp(argv[i],"-f")) 867 867 { 868 868 i++; 869 strcpy(level_file,argv[i]); 869 strncpy(level_file,argv[i],sizeof(level_file)-1); 870 level_file[sizeof(level_file)-1] = '\0'; 870 871 } else if (!strcmp(argv[i],"-2")) 871 872 start_doubled=1; 872 873 else if (!strcmp(argv[i],"-demo")) -
src/imlib/specs.cpp
290 290 291 291 void fast_load_start_recording(char *filename) 292 292 { 293 // drop privileges prior to creating file. 294 uid_t euid; 295 gid_t egid; 296 euid = geteuid(); 297 egid = getegid(); 298 299 if(setgid(getgid()) != 0 || setuid(getuid()) != 0) { 300 dprintf("Specs : can not drop privileges"); 301 return; 302 } 303 293 304 fast_load_fd = ::open(filename,O_CREAT|O_RDWR,S_IRWXU | S_IRWXG | S_IRWXO); 294 305 fast_load_mode = 1; 306 307 setuid(euid); 308 setgid(egid); 295 309 } 296 310 297 311 void fast_load_stop_recording() -
src/innet.cpp
85 85 else if( !strcmp( argv[i], "-net" ) && i < argc-1 ) 86 86 { 87 87 i++; 88 strcpy( main_net_cfg->server_name, argv[i] ); 88 strncpy(main_net_cfg->server_name,argv[i],sizeof(main_net_cfg->server_name)-1); 89 main_net_cfg->server_name[sizeof(main_net_cfg->server_name)-1]='\0'; 89 90 main_net_cfg->state = net_configuration::CLIENT; 90 91 } 91 92 else if (!strcmp(argv[i],"-ndb")) -
src/loader2.cpp
93 93 if (fp->open_failure()) 94 94 { 95 95 delete fp; 96 s printf(fn,"art/%s",filename);96 snprintf(fn,sizeof(fn),"art/%s",filename); 97 97 fp=open_file(fn,"rb"); 98 98 if (fp->open_failure()) 99 99 { … … 296 296 297 297 char *cachepath; 298 298 cachepath = (char *)malloc( strlen( get_save_filename_prefix() ) + 12 + 1 ); 299 s printf( cachepath, "%ssd_cache.tmp", get_save_filename_prefix() );299 snprintf( cachepath, sizeof(cachepath), "%ssd_cache.tmp", get_save_filename_prefix() ); 300 300 301 301 bFILE *load = open_file( cachepath, "rb" ); 302 302 if( !load->open_failure() ) … … 322 322 if (!strcmp(argv[i],"-a")) 323 323 { 324 324 i++; 325 s printf(lsf,"addon/%s/%s.lsp",argv[i],argv[i]);325 snprintf(lsf,sizeof(lsf),"addon/%s/%s.lsp",argv[i],argv[i]); 326 326 } 327 327 } 328 328 } else if (!get_remote_lsf(net_server,lsf)) … … 339 339 c_target=cache.reg("art/dev.spe","c_target",SPEC_IMAGE,0); 340 340 341 341 342 s printf(prog,"(load \"%s\")\n",lsf);342 snprintf(prog,sizeof(prog),"(load \"%s\")\n",lsf); 343 343 344 344 cs=prog; 345 345 if (!eval(compile(cs))) … … 355 355 for (int z=0;z<=11;z++) 356 356 { 357 357 char nm[10]; 358 s printf(nm,"l%d",z);358 snprintf(nm,sizeof(nm),"l%d",z); 359 359 light_buttons[z]=cache.reg("art/dev.spe",nm,SPEC_IMAGE,0); 360 360 } 361 361 … … 484 484 char fn[100]; 485 485 char *s; 486 486 487 s printf(fn,"%s",name);487 snprintf(fn,sizeof(fn),"%s",name); 488 488 bFILE *fp=open_file(fn,"rb"); 489 489 if (fp->open_failure()) 490 490 {