o add search-word support for CGI
o fix a security issue in CGI suffix handler support which would
allow remote code execution, from shm@netbsd.org
o -C option supports now CGI scripts only
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
https://anongit.mindrot.org/openssh.git/commit/?\
id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
XXX: pullup-7
For internal use, we expect psrefs to be held by other LWPs when
asking in the cross-call thread whether the target in question is
referenced.
For public use, the caller should not assert about some other LWP
holding a psref.
But the rest of the logic is the same.
show arptab command of ddb is now inappropriate because it actually dumps
routes but arp entries aren't routes anymore. So rename it to show routes
and move the code from if_arp.c to route.c.
ok christos@
some of the slot finding and updating code into their own function.
- Add a new label "next" in the main search loop to avoid nesting and
code duplication.
- Cache some reclen and ino variables for better readability and efficiency.
Revert the supporting logic in -r1.190 of vfs_lookup.c, and fix the
important change to set searchdir = NULL instead of searchdir =
foundobj. Then supply the necessary new supporting logic to cope with
some new cases where searchdir can be null.
This is at the point when lookup_once crosses a mountpoint going down;
the idea was to avoid coupling locks across filesystems as that has a
number of potentially negative consequences. At this stage of namei,
though, it's important to set searchdir to null as this is what is
used later on to handle other cases arising from crossing mount
points. If you set it to be the same as foundobj, that instead creates
the impression that you looked up "/." on the new volume, and that
causes odd things to happen in corner cases such as the one appearing
in PR 47040.
This fix ought to be pulled up to -6 and -7, and it probably could be
safely, but given the delicacy of this code and the fact that it's
taken me more than three years to find the combination of time and
intestinal fortitude to do it, as well as the minor nature of the
resulting wrong behavior observed so far, I think we'll let that part
go.
This change also exposes an annoying corner case: if you cross a mount
point and the root directory vnode of the new volume is not a
directory but a symlink, we now have no searchdir to follow the
symlink relative to. In principle one could hang onto the searchdir
from before calling lookup_once and use that, or complexify the
interface of lookup_once to hang onto it as desired for this case.
Alternatively one could add the necessary null checks to namei_follow
and allow only absolute symlinks in this case, as for an absolute
symlink one doesn't need the old searchdir. However, given that only
broken filesystems have symlinks as their root vnodes, I'm not going
to bother. Instead if this happens we'll just fail with ENOTDIR.
