Commits

Mats Lidell committed 7e8e2d4

Remove security issue with tempfiles and Mosaic

2014-05-20 Mats Lidell <matsl@xemacs.org>

* browse-url.el (browse-url-mosaic): Upstream security issue. Be
careful when writing /tmp/Mosaic.PID.
(http://bugs.debian.org/747100) Patch by Glenn Morris.

  • Participants
  • Parent commits f66940d

Comments (0)

Files changed (2)

+2014-05-20  Mats Lidell  <matsl@xemacs.org>
+
+	* browse-url.el (browse-url-mosaic): Upstream security issue. Be
+	careful when writing /tmp/Mosaic.PID.
+	(http://bugs.debian.org/747100) Patch by Glenn Morris.
+
 2014-05-15  Norbert Koch  <viteno@xemacs.org>
 
 	* Makefile (VERSION): XEmacs package 1.82 released.
   (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
 	pid)
     (if (file-readable-p pidfile)
-	(save-excursion
-	  (find-file pidfile)
-	  (goto-char (point-min))
-	  (setq pid (read (current-buffer)))
-	  (kill-buffer nil)))
-    (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
-	(save-excursion
-	  (find-file (format "/tmp/Mosaic.%d" pid))
-	  (erase-buffer)
-	  (insert (if (browse-url-maybe-new-window new-window)
-		      "newwin\n"
-		    "goto\n")
-		  url "\n")
-	  (save-buffer)
-	  (kill-buffer nil)
+        (with-temp-buffer
+          (insert-file-contents pidfile)
+	  (setq pid (read (current-buffer)))))
+    (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running
+        (progn
+          (with-temp-buffer
+            (insert (if (browse-url-maybe-new-window new-window)
+                        "newwin\n"
+                      "goto\n")
+                    url "\n")
+            (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid)))
+                (delete-file pidfile))
+            ;; http://debbugs.gnu.org/17428.  Use O_EXCL.
+            (write-region nil nil pidfile nil 'silent nil 'excl))
 	  ;; Send signal SIGUSR to Mosaic
 	  (message "Signalling Mosaic...")
 	  (signal-process pid 'SIGUSR1)
 	  ;; Or you could try:
 	  ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
-	  (message "Signalling Mosaic...done")
-	  )
+	  (message "Signalling Mosaic...done"))
       ;; Mosaic not running - start it
       (message "Starting Mosaic...")
       (apply 'start-process "xmosaic" nil browse-url-mosaic-program