Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Open only plain files [please someone add O_REG_ONLY]. Since /etc/daily 

runs calendar -a, a malicious user can put a fifo in his home directory
to prevent calendar from completing. Many thanks to: dynamo@ime.net
This commit is contained in:
christos 2000-11-29 15:29:51 +00:00
parent 0bbc767215
commit e8048693f8
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
usr.bin/calendar/calendar.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: calendar.c,v 1.22 2000/04/14 06:07:14 simonb Exp $ */
/* $NetBSD: calendar.c,v 1.23 2000/11/29 15:29:51 christos Exp $ */
/*
* Copyright (c) 1989, 1993, 1994
@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1989, 1993\n\
#if 0
static char sccsid[] = "@(#)calendar.c 8.4 (Berkeley) 1/7/95";
#endif
__RCSID("$NetBSD: calendar.c,v 1.22 2000/04/14 06:07:14 simonb Exp $");
__RCSID("$NetBSD: calendar.c,v 1.23 2000/11/29 15:29:51 christos Exp $");
#endif /* not lint */
#include <sys/param.h>
@ -325,10 +325,10 @@ opencal()
int fd, pdes[2];
/* open up calendar file as stdin */
if (!freopen(fname, "r", stdin)) {
if (!freopen(fname, "rf", stdin)) {
if (doall)
return (NULL);
errx(1, "no calendar file.");
err(1, "Cannot open `%s'", fname);
}
if (pipe(pdes) < 0)
return (NULL);