diff options
author | maya <maya@pkgsrc.org> | 2016-09-22 09:07:08 +0000 |
---|---|---|
committer | maya <maya@pkgsrc.org> | 2016-09-22 09:07:08 +0000 |
commit | 26f2cfa4b80030f795b7e3e3cc15bf9ab06f026c (patch) | |
tree | 02fa0ba2244c1b3e6fccf1f96c79cc599e9a946d /chat | |
parent | e68ddc8a77cfa679a93a1b2d54d4357cf84939e0 (diff) | |
download | pkgsrc-26f2cfa4b80030f795b7e3e3cc15bf9ab06f026c.tar.gz |
irssi: add patch for buf.pl update as it is shipped with irssi.
previously it would create a world readable file containing chat
logs when /upgrade was used.
while a security fix, you have to jump through many hoops to be
affected by it - we don't enable perl scripts by default, we
don't run that perl script by default, and you'd have to know that
/upgrade exists in the first place, and run on a system where world
readability of files is a concern.
still, grab upstream update, bump PKGREVISION.
Diffstat (limited to 'chat')
-rw-r--r-- | chat/irssi/Makefile | 3 | ||||
-rw-r--r-- | chat/irssi/distinfo | 3 | ||||
-rw-r--r-- | chat/irssi/patches/patch-scripts_buf.pl | 105 |
3 files changed, 109 insertions, 2 deletions
diff --git a/chat/irssi/Makefile b/chat/irssi/Makefile index 31a987cacfe..bfd7bcc2a2c 100644 --- a/chat/irssi/Makefile +++ b/chat/irssi/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.72 2016/08/14 21:10:35 maya Exp $ +# $NetBSD: Makefile,v 1.73 2016/09/22 09:07:08 maya Exp $ DISTNAME= ${IRSSI_DISTNAME} CATEGORIES= chat EXTRACT_SUFX= ${IRSSI_EXTRACT_SUFX} +PKGREVISION= 1 MAINTAINER= maya@NetBSD.org HOMEPAGE= http://www.irssi.org/ diff --git a/chat/irssi/distinfo b/chat/irssi/distinfo index a0dfb7435a9..daa18dc80cb 100644 --- a/chat/irssi/distinfo +++ b/chat/irssi/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.36 2016/09/21 20:53:57 maya Exp $ +$NetBSD: distinfo,v 1.37 2016/09/22 09:07:08 maya Exp $ SHA1 (irssi-0.8.20.tar.gz) = 080be963f79be5921a0a5c359e163bb8c8fd9fbc RMD160 (irssi-0.8.20.tar.gz) = 4425bfc55f07b8113cd0d31055d5ad1d8e51e1e3 @@ -6,3 +6,4 @@ SHA512 (irssi-0.8.20.tar.gz) = 9d70453b6ee7d66a2ddc8ca494935aaba1a5cf56c9e70cceb Size (irssi-0.8.20.tar.gz) = 1565952 bytes SHA1 (patch-aa) = 83a0f6def09cb283aa55b63a249a81121748232b SHA1 (patch-ad) = 8cb41612afcd6088b869235166da9a6eb37e6ec7 +SHA1 (patch-scripts_buf.pl) = bd18e2b416f163849845fd14b5135c640a89d659 diff --git a/chat/irssi/patches/patch-scripts_buf.pl b/chat/irssi/patches/patch-scripts_buf.pl new file mode 100644 index 00000000000..3be02048253 --- /dev/null +++ b/chat/irssi/patches/patch-scripts_buf.pl @@ -0,0 +1,105 @@ +$NetBSD: patch-scripts_buf.pl,v 1.1 2016/09/22 09:07:08 maya Exp $ + +Don't create a world readable file containing chat contents. +https://irssi.org/2016/09/22/buf.pl-update/ + +--- scripts/buf.pl.orig 2016-08-11 12:59:21.000000000 +0000 ++++ scripts/buf.pl +@@ -5,7 +5,7 @@ use Irssi qw(command signal_add signal_a + settings_get_str settings_get_bool channels windows + settings_add_str settings_add_bool get_irssi_dir + window_find_refnum signal_stop); +-$VERSION = '2.13'; ++$VERSION = '2.20'; + %IRSSI = ( + authors => 'Juerd', + contact => 'juerd@juerd.nl', +@@ -13,10 +13,8 @@ $VERSION = '2.13'; + description => 'Saves the buffer for /upgrade, so that no information is lost', + license => 'Public Domain', + url => 'http://juerd.nl/irssi/', +- changed => 'Mon May 13 19:41 CET 2002', +- changes => 'Severe formatting bug removed * oops, I ' . +- 'exposed Irssi to ircII foolishness * sorry ' . +- '** removed logging stuff (this is a fix)', ++ changed => 'Thu Sep 22 01:37 CEST 2016', ++ changes => 'Fixed file permissions (leaked everything via filesystem)', + note1 => 'This script HAS TO BE in your scripts/autorun!', + note2 => 'Perl support must be static or in startup', + ); +@@ -39,9 +37,15 @@ use Data::Dumper; + + my %suppress; + ++sub _filename { sprintf '%s/scrollbuffer', get_irssi_dir } ++ + sub upgrade { +- open BUF, q{>}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- print BUF join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; ++ my $fn = _filename; ++ my $old_umask = umask 0077; ++ open my $fh, q{>}, $fn or die "open $fn: $!"; ++ umask $old_umask; ++ ++ print $fh join("\0", map $_->{server}->{address} . $_->{name}, channels), "\n"; + for my $window (windows) { + next unless defined $window; + next if $window->{name} eq 'status'; +@@ -57,36 +61,39 @@ sub upgrade { + redo if defined $line; + } + } +- printf BUF "%s:%s\n%s", $window->{refnum}, $lines, $buf; ++ printf $fh "%s:%s\n%s", $window->{refnum}, $lines, $buf; + } +- close BUF; ++ close $fh; + unlink sprintf("%s/sessionconfig", get_irssi_dir); + command 'layout save'; + command 'save'; + } + + sub restore { +- open BUF, q{<}, sprintf('%s/scrollbuffer', get_irssi_dir) or die $!; +- my @suppress = split /\0/, <BUF>; ++ my $fn = _filename; ++ open my $fh, q{<}, $fn or die "open $fn: $!"; ++ unlink $fn or warn "unlink $fn: $!"; ++ ++ my @suppress = split /\0/, readline $fh; + if (settings_get_bool 'upgrade_suppress_join') { + chomp $suppress[-1]; + @suppress{@suppress} = (2) x @suppress; + } + active_win->command('^window scroll off'); +- while (my $bla = <BUF>){ ++ while (my $bla = readline $fh){ + chomp $bla; + my ($refnum, $lines) = split /:/, $bla; + next unless $lines; + my $window = window_find_refnum $refnum; + unless (defined $window){ +- <BUF> for 1..$lines; ++ readline $fh for 1..$lines; + next; + } + my $view = $window->view; + $view->remove_all_lines(); + $view->redraw(); + my $buf = ''; +- $buf .= <BUF> for 1..$lines; ++ $buf .= readline $fh for 1..$lines; + my $sep = settings_get_str 'upgrade_separator'; + $sep .= "\n" if $sep ne ''; + $window->gui_printtext_after(undef, MSGLEVEL_CLIENTNOTICE, "$buf\cO$sep"); +@@ -119,3 +126,10 @@ signal_add 'event join' => 's + unless (-f sprintf('%s/scripts/autorun/buf.pl', get_irssi_dir)) { + Irssi::print('PUT THIS SCRIPT IN ~/.irssi/scripts/autorun/ BEFORE /UPGRADING!!'); + } ++ ++# Remove any left-over file. If 'session' doesn't exist (created by irssi ++# during /UPGRADE), neither should our file. ++unless (-e sprintf('%s/session', get_irssi_dir)) { ++ my $fn = _filename; ++ unlink $fn or warn "unlink $fn: $!" if -e $fn; ++} |