xdvizilla had unsafe temporary file usage. fixes (diffs between 1.2 and

1.10) are pulled from its CVS repository.

closes pkga22940 by Jeremy C. Reed.

2 files changed, 198 insertions, 1 deletions

diff --git a/print/teTeX-bin/distinfo b/print/teTeX-bin/distinfo
index 66282f6eac5..9b7e0b98cc1 100644
--- a/print/teTeX-bin/distinfo
+++ b/print/teTeX-bin/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2004/10/11 04:54:05 minskim Exp $
+$NetBSD: distinfo,v 1.6 2004/10/22 12:49:02 kei Exp $
 
 SHA1 (teTeX/tetex-src-2.0.2.tar.gz) = 6445206b14d659458ee352df78d2c2daf8e88ab3
 Size (teTeX/tetex-src-2.0.2.tar.gz) = 11745933 bytes
@@ -8,5 +8,6 @@ SHA1 (patch-ac) = 7e96a7a14090a6b3009d3562b18ee8383d50d3e0
 SHA1 (patch-ad) = 377f52b45ea66b88f682aaa7f0dd72dee8f986fb
 SHA1 (patch-ae) = 68825699db129b82f476c37ba3b6e20a8831ad6e
 SHA1 (patch-af) = d5fd0e1b30b1ea9fd96fe5983088df5a723f04b7
+SHA1 (patch-ag) = 9dd4ce8fc1dad6555a59fd3734364ebf9117b4f5
 SHA1 (patch-ap) = 40543e9a2fb87d296557f3a8bd9a7207b2331a8e
 SHA1 (patch-aq) = f90ed07b2de340c55c6d987fdaa59d7ed6d46e0f
diff --git a/print/teTeX-bin/patches/patch-ag b/print/teTeX-bin/patches/patch-ag
new file mode 100644
index 00000000000..399036528f1
--- /dev/null
+++ b/print/teTeX-bin/patches/patch-ag
@@ -0,0 +1,196 @@
+$NetBSD: patch-ag,v 1.3 2004/10/22 12:49:02 kei Exp $
+
+This diff is taken from the url below:
+http://cvs.sourceforge.net/viewcvs.py/xdvi/xdvik/texk/xdvik/xdvizilla?r1=text&tr1=1.2&r2=text&tr2=1.10&diff_format=u
+
+===================================================================
+RCS file: /cvsroot/xdvi/xdvik/texk/xdvik/xdvizilla,v
+retrieving revision 1.2
+retrieving revision 1.10
+diff -u -r1.2 -r1.10
+--- xdvi/xdvik/texk/xdvik/xdvizilla	2002/10/12 13:29:17	1.2
++++ xdvi/xdvik/texk/xdvik/xdvizilla	2004/02/24 22:37:37	1.10
+@@ -1,11 +1,68 @@
+ #! /bin/sh
+-
++#
+ # This is a kludge to fix helper apps in mozilla.  See mozilla bugs #57420
+ # and also #78919.
+-
++#
+ # It's also useful for tar files with Netscape 4.x
++#
++# Copyright (c) 2002-2004  Paul Vojta
++# 
++# Permission is hereby granted, free of charge, to any person obtaining a copy
++# of this software and associated documentation files (the "Software"), to
++# deal in the Software without restriction, including without limitation the
++# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
++# sell copies of the Software, and to permit persons to whom the Software is
++# furnished to do so, subject to the following conditions:
++# 
++# The above copyright notice and this permission notice shall be included in
++# all copies or substantial portions of the Software.
++# 
++# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
++# IN NO EVENT SHALL PAUL VOJTA OR ANY OTHER AUTHOR OF OR CONTRIBUTOR TO
++# THIS SOFTWARE BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
++# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
++# IN THE SOFTWARE.
++
++# Some changes suggested by Thomas Esser included by
++# <stefanulrich@users.sourceforge.net>.
+ 
++IN_FILE=
+ NO_RM=
++TMP_DIR=
++progname=xdvizilla
++
++do_cleanup()
++{
++    exitval=$?
++    if [ -z "$NO_RM" -a -n "$IN_FILE" ] ; then
++	rm -f "$IN_FILE"
++    fi
++    test -n "$TMP_DIR" && rm -rf "$TMP_DIR"
++    exit $exitval
++}
++
++do_abort()
++{
++    xmessage -nearmouse "$progname: $1"
++    do_cleanup
++    exit 1
++}
++
++usage()
++{
++    xmessage -nearmouse "Usage: $progname [-no-rm] <file>"
++    do_cleanup
++    exit 1
++}
++
++trap 'do_cleanup' 1 2 3 7 13 15
++
++### create a temporary directory only read/writable by user
++TMP_DIR=${TMP-/tmp}/$progname.$$
++(umask 077; mkdir "$TMP_DIR") || do_abort "Could not create directory \`$TMP_DIR'"
+ 
+ if [ $# -gt 1 -a "x$1" = "x-no-rm" ]; then
+   NO_RM=y
+@@ -13,8 +70,7 @@
+ fi
+ 
+ if [ $# -ne 1 ]; then
+-  xmessage -nearmouse 'Usage: xdvizilla [-no-rm] <file>'
+-  exit 1
++  usage
+ fi
+ 
+ DIR=`dirname "$0"`
+@@ -27,55 +83,52 @@
+   DIR=
+ fi
+ 
+-FILE=$1
+-FILETYPE=`file "$FILE"`
+-
+-case "$FILETYPE" in
+-
+-  *"gzip compressed data"*)
+-    FILE=/tmp/xdvizilla$$
+-    gunzip -c "$1" > $FILE
+-    [ -n "$NO_RM" ] || rm -f -- "$1"
+-    NO_RM=
+-    FILETYPE=`file "$FILE"`
+-    ;;
+-
+-  *"compressed data"* | *"compress'd data"*)
+-    FILE=/tmp/xdvizilla$$
+-    uncompress -c "$1" > $FILE
+-    [ -n "$NO_RM" ] || rm -f -- "$1"
+-    NO_RM=
+-    FILETYPE=`file "$FILE"`
+-    ;;
+-
+-  "$1: empty")
+-    xmessage -nearmouse "$1 is an empty file
+-(this is a bug in Mozilla)"
+-    [ -n "$NO_RM" ] || rm -f -- "$1"
+-    exit 1
+-    ;;
+-
+-esac
+-
+-case "$FILETYPE" in
+-
+-  *" tar archive")
+-    TARDIR=/tmp/xdvitar$$
+-    mkdir $TARDIR
+-    cat "$FILE" | (cd $TARDIR; tar xf -)
+-    DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`
+-    [ -n "$NO_RM" ] || rm -f -- "$FILE"
+-    if [ -z "$DVINAME" ]; then
+-      xmessage -nearmouse "Tar file does not contain a dvi file"
+-    else
+-      (cd $TARDIR; "$DIR"xdvi -safer "$DVINAME")
+-    fi
+-    rm -rf $TARDIR
+-  ;;
++# need to preserve IN_FILE for eventual deletion
++IN_FILE="$1"
++TMP_FILE="$IN_FILE"
++
++while [ 1 ]; do
++    [ -f "$TMP_FILE" ] || do_abort "$TMP_FILE: File not found."    
++    FILETYPE=`file "$TMP_FILE"`
++    case "$FILETYPE" in
++    *"gzip compressed data"*)
++        out="$TMP_DIR"/tmp-gz
++        gunzip -c "$TMP_FILE" > "$out"
++        TMP_FILE="$out"
++        ;;
++    *"compressed data"* | *"compress'd data"*)
++        out="$TMP_DIR"/tmp-compress
++        uncompress -c "$TMP_FILE" > "$out"
++        TMP_FILE="$out"
++        ;;
++    "$TMP_FILE: empty")
++        do_abort "$TMP_FILE is an empty file
++(probably a bug in Mozilla?)"
++        ;;
++    *" tar archive")
++	### do sanity checks on the tar archive, to avoid overwriting user files:
++	dangerous=`tar tf "$TMP_FILE" | egrep '^(/|.*\.\./)'`
++	[ -z "$dangerous" ] || do_abort "Tar file contains files with absolute paths or \`../' components,
++which may overwrite user files. Not unpacking it."
++        ### also check for gzipped DVI files inside the archive ...
++        out="$TMP_DIR"/`tar tf "$TMP_FILE" | egrep '\.(dvi|dvi.gz|dvi.Z)$' | head -1`
++        if [ -z "$out" ]; then
++	    do_abort "Tar file does not contain a dvi file."
++        else
++	    cat "$TMP_FILE" | (cd "$TMP_DIR"; tar xf -)
++	    TMP_FILE="$out"
++        fi
++        ;;
++    *"DVI file"*)
++        "$DIR"xdvi -safer "$TMP_FILE"
++        break
++        ;;
++    *)
++        do_abort "$TMP_FILE: Unrecognized file format!"
++        ;;
++    esac
++done
+ 
+-  *)
+-    "$DIR"xdvi -safer "$FILE"
+-    [ -n "$NO_RM" ] || rm -f -- "$FILE"
+-  ;;
++do_cleanup
+ 
+-esac
++exit 0