Import vendor fix for insecure temporary filename creation with the

'<<' operator, reported on bugtraq by proton <proton@ENERGYMECH.NET>
svn path=/vendor/tcsh/dist/; revision=68332
2000-11-04 22:23:19 +00:00 · 2000-11-04 22:23:19 +00:00 · b3a5f6c29d · 2020-12-20 02:59:44 +00:00
commit b3a5f6c29d
parent b2be84b199
1 changed files with 19 additions and 7 deletions
--- a/contrib/tcsh/sh.dol.c
+++ b/contrib/tcsh/sh.dol.c
@ -1,4 +1,4 @@
-/* $Header: /src/pub/tcsh/sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $ */
+/* $Header: /src/pub/tcsh/sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $ */
 /*
 * sh.dol.c: Variable substitutions
 */
@ -36,7 +36,7 @@
 */
 #include "sh.h"

-RCSID("$Id: sh.dol.c,v 3.40 2000/06/10 21:36:06 kim Exp $")
+RCSID("$Id: sh.dol.c,v 3.42 2000/10/31 16:55:52 christos Exp $")

 /*
 * C shell
@ -1017,7 +1017,7 @@ void
 heredoc(term)
    Char   *term;
 {
-    register int c;
+    int c;
    Char   *Dv[2];
    Char    obuf[BUFSIZE], lbuf[BUFSIZE], mbuf[BUFSIZE];
    int     ocnt, lcnt, mcnt;
@ -1025,7 +1025,9 @@ heredoc(term)
    Char  **vp;
    bool    quoted;
    char   *tmp;
+    struct timeval tv;

+again:
    tmp = short2str(shtemp);
 #ifndef O_CREAT
 # define O_CREAT 0
@ -1036,12 +1038,22 @@ heredoc(term)
 #ifndef O_TEMPORARY
 # define O_TEMPORARY 0
 #endif
-    if (open(tmp, O_RDWR|O_CREAT|O_TEMPORARY) < 0) {
-	int     oerrno = errno;
-
+#ifndef O_EXCL
+# define O_EXCL 0
+#endif
+    if (open(tmp, O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY) == -1) {
+	int oerrno = errno;
+	if (errno == EEXIST) {
+	    if (unlink(tmp) == -1) {
+		(void) gettimeofday(&tv, NULL);
+		shtemp = Strspl(STRtmpsh, putn((((int)tv.tv_sec) ^ 
+		    ((int)tv.tv_usec) ^ ((int)doldol)) & 0x00ffffff));
+	    }
+	    goto again;
+	}
 	(void) unlink(tmp);
 	errno = oerrno;
-	stderror(ERR_SYSTEM, tmp, strerror(errno));
+ 	stderror(ERR_SYSTEM, tmp, strerror(errno));
    }
    (void) unlink(tmp);		/* 0 0 inode! */
    Dv[0] = term;