Address potential temporary file security vulnerabilities.

3 files changed, 60 insertions, 12 deletions

diff --git a/contrib/pdfmark/ChangeLog b/contrib/pdfmark/ChangeLog
index 1075fafd..f418e186 100644
--- a/contrib/pdfmark/ChangeLog
+++ b/contrib/pdfmark/ChangeLog
@@ -1,3 +1,11 @@
+2010-12-02  Keith Marshall  <keith.d.marshall@ntlworld.com>
+
+	Address potential temporary file security vulnerabilities.
+
+	* pdfroff.sh (GROFF_TMPDIR): Use mktemp(1) to assign it, if possible;
+	fall back to ${TMPDIR}, ${TMP} or ${TEMP} if unsuccessful.
+	* pdfroff.man: Document it.
+
 2009-08-16  Colin Watson  <cjwatson@debian.org>
 
 	Make pdfroff's GhostScript invocation safer.
diff --git a/contrib/pdfmark/pdfroff.man b/contrib/pdfmark/pdfroff.man
index 764f029c..35e44a75 100644
--- a/contrib/pdfmark/pdfroff.man
+++ b/contrib/pdfmark/pdfroff.man
@@ -645,10 +645,24 @@ normally, the final output file should be named
 .P
 Temporary files, created by
 .BR pdfroff ,
-are placed in the directory specified by environment variables (see
-section
-.BR ENVIRONMENT ),
-and named according to the convention
+are placed in the file system hierarchy,
+in or below the directory specified by environment variables
+(see section
+.BR ENVIRONMENT ).
+If
+.BR mktemp (@MAN1EXT@)
+is available,
+it is invoked to create a private subdirectory of
+the nominated temporary files directory,
+(with subdirectory name derived from the template
+.BR pdfroff-XXXXXXXXXX );
+if this subdirectory is successfully created,
+the temporary files will be placed within it,
+otherwise they will be placed directly in the directory
+nominated in the environment.
+.P
+All temporary files themselves
+are named according to the convention
 .BI pdf $$ .*\c
 \&, where
 .I $$
diff --git a/contrib/pdfmark/pdfroff.sh b/contrib/pdfmark/pdfroff.sh
index aa13ec73..bb05df04 100644
--- a/contrib/pdfmark/pdfroff.sh
+++ b/contrib/pdfmark/pdfroff.sh
@@ -135,9 +135,40 @@
       echo $2`
   fi
 #
-# Set up temporary/intermediate file locations.
+# Set up temporary/intermediate file locations, with traps to
+# clean them up on exit.  Note that, for greater portability, we
+# prefer to refer to events by number, rather than by symbolic
+# names; thus, the EXIT event is trapped as event zero.
+#
+  export TMPDIR GROFF_TMPDIR
+  TMPDIR=${GROFF_TMPDIR=${TMPDIR-${TMP-${TEMP-"."}}}}
+  if GROFF_TMPDIR=`exec 2>${NULLDEV}; mktemp -dt pdfroff-XXXXXXXXXX`
+  then
+  #
+  # We successfully created a private temporary directory,
+  # so to clean up, we may simply purge it.
+  #
+    trap "rm -rf ${GROFF_TMPDIR}" 0
+  #
+  else
+  #
+  # Creation of a private temporary directory was unsuccessful;
+  # fall back to user nominated directory, (using current directory
+  # as default), and schedule removal of only the temporary files.
+  #
+    GROFF_TMPDIR=${TMPDIR}
+    trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0
+  fi
+  #
+  # In the case of abnormal termination events, we force an exit
+  # (with status code '1'), leaving the normal exit trap to clean
+  # up the temporary files, as above.  Note that we again prefer
+  # to refer to events by number, rather than by symbolic names;
+  # here we trap SIGHUP, SIGINT, SIGQUIT, SIGPIPE and SIGTERM.
+  #
+  trap "exit 1" 1 2 3 13 15
 #
-  WRKFILE=${GROFF_TMPDIR=${TMPDIR-${TMP-${TEMP-"."}}}}/pdf$$.tmp
+  WRKFILE=${GROFF_TMPDIR}/pdf$$.tmp
 #
   REFCOPY=${GROFF_TMPDIR}/pdf$$.cmp
   REFFILE=${GROFF_TMPDIR}/pdf$$.ref
@@ -146,11 +177,6 @@
   TC_DATA=${GROFF_TMPDIR}/pdf$$.tc
   BD_DATA=${GROFF_TMPDIR}/pdf$$.ps
 #
-# Set a trap, to delete temporary files on exit.
-# (FIXME: may want to include other signals, in released version).
-#
-  trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0
-#
 # Initialise 'groff' format control settings,
 # to discriminate table of contents and document body formatting passes.
 #
@@ -627,4 +653,4 @@
   $SAY >&2 ". done"
 #
 # ------------------------------------------------------------------------------
-# $RCSfile: pdfroff.sh,v $ $Revision: 1.16 $: end of file
+# $RCSfile: pdfroff.sh,v $ $Revision: 1.17 $: end of file