diff options
author | keithmarshall <keithmarshall> | 2010-12-02 17:14:16 +0000 |
---|---|---|
committer | keithmarshall <keithmarshall> | 2010-12-02 17:14:16 +0000 |
commit | 2262217705247ae443e9016cb467dac9ecf49f8d (patch) | |
tree | b84839a709fa68be479e4c2f8b2c1a81f04cd487 /contrib/pdfmark | |
parent | 780293087ed2076c123b432b0c06ca66be4fa803 (diff) | |
download | groff-2262217705247ae443e9016cb467dac9ecf49f8d.tar.gz |
Address potential temporary file security vulnerabilities.
Diffstat (limited to 'contrib/pdfmark')
-rw-r--r-- | contrib/pdfmark/ChangeLog | 8 | ||||
-rw-r--r-- | contrib/pdfmark/pdfroff.man | 22 | ||||
-rw-r--r-- | contrib/pdfmark/pdfroff.sh | 42 |
3 files changed, 60 insertions, 12 deletions
diff --git a/contrib/pdfmark/ChangeLog b/contrib/pdfmark/ChangeLog index 1075fafd..f418e186 100644 --- a/contrib/pdfmark/ChangeLog +++ b/contrib/pdfmark/ChangeLog @@ -1,3 +1,11 @@ +2010-12-02 Keith Marshall <keith.d.marshall@ntlworld.com> + + Address potential temporary file security vulnerabilities. + + * pdfroff.sh (GROFF_TMPDIR): Use mktemp(1) to assign it, if possible; + fall back to ${TMPDIR}, ${TMP} or ${TEMP} if unsuccessful. + * pdfroff.man: Document it. + 2009-08-16 Colin Watson <cjwatson@debian.org> Make pdfroff's GhostScript invocation safer. diff --git a/contrib/pdfmark/pdfroff.man b/contrib/pdfmark/pdfroff.man index 764f029c..35e44a75 100644 --- a/contrib/pdfmark/pdfroff.man +++ b/contrib/pdfmark/pdfroff.man @@ -645,10 +645,24 @@ normally, the final output file should be named .P Temporary files, created by .BR pdfroff , -are placed in the directory specified by environment variables (see -section -.BR ENVIRONMENT ), -and named according to the convention +are placed in the file system hierarchy, +in or below the directory specified by environment variables +(see section +.BR ENVIRONMENT ). +If +.BR mktemp (@MAN1EXT@) +is available, +it is invoked to create a private subdirectory of +the nominated temporary files directory, +(with subdirectory name derived from the template +.BR pdfroff-XXXXXXXXXX ); +if this subdirectory is successfully created, +the temporary files will be placed within it, +otherwise they will be placed directly in the directory +nominated in the environment. +.P +All temporary files themselves +are named according to the convention .BI pdf $$ .*\c \&, where .I $$ diff --git a/contrib/pdfmark/pdfroff.sh b/contrib/pdfmark/pdfroff.sh index aa13ec73..bb05df04 100644 --- a/contrib/pdfmark/pdfroff.sh +++ b/contrib/pdfmark/pdfroff.sh @@ -135,9 +135,40 @@ echo $2` fi # -# Set up temporary/intermediate file locations. +# Set up temporary/intermediate file locations, with traps to +# clean them up on exit. Note that, for greater portability, we +# prefer to refer to events by number, rather than by symbolic +# names; thus, the EXIT event is trapped as event zero. +# + export TMPDIR GROFF_TMPDIR + TMPDIR=${GROFF_TMPDIR=${TMPDIR-${TMP-${TEMP-"."}}}} + if GROFF_TMPDIR=`exec 2>${NULLDEV}; mktemp -dt pdfroff-XXXXXXXXXX` + then + # + # We successfully created a private temporary directory, + # so to clean up, we may simply purge it. + # + trap "rm -rf ${GROFF_TMPDIR}" 0 + # + else + # + # Creation of a private temporary directory was unsuccessful; + # fall back to user nominated directory, (using current directory + # as default), and schedule removal of only the temporary files. + # + GROFF_TMPDIR=${TMPDIR} + trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0 + fi + # + # In the case of abnormal termination events, we force an exit + # (with status code '1'), leaving the normal exit trap to clean + # up the temporary files, as above. Note that we again prefer + # to refer to events by number, rather than by symbolic names; + # here we trap SIGHUP, SIGINT, SIGQUIT, SIGPIPE and SIGTERM. + # + trap "exit 1" 1 2 3 13 15 # - WRKFILE=${GROFF_TMPDIR=${TMPDIR-${TMP-${TEMP-"."}}}}/pdf$$.tmp + WRKFILE=${GROFF_TMPDIR}/pdf$$.tmp # REFCOPY=${GROFF_TMPDIR}/pdf$$.cmp REFFILE=${GROFF_TMPDIR}/pdf$$.ref @@ -146,11 +177,6 @@ TC_DATA=${GROFF_TMPDIR}/pdf$$.tc BD_DATA=${GROFF_TMPDIR}/pdf$$.ps # -# Set a trap, to delete temporary files on exit. -# (FIXME: may want to include other signals, in released version). -# - trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0 -# # Initialise 'groff' format control settings, # to discriminate table of contents and document body formatting passes. # @@ -627,4 +653,4 @@ $SAY >&2 ". done" # # ------------------------------------------------------------------------------ -# $RCSfile: pdfroff.sh,v $ $Revision: 1.16 $: end of file +# $RCSfile: pdfroff.sh,v $ $Revision: 1.17 $: end of file |