Problems:
1.
During expansion of path, the resulting path can overflow the supplied
area of PATH_MAX+2 (buffer as well as buffer2). A tampered environment
variable can be used to modify program flow.
Proof:
[note: wmaker has been compiled with propolice]
$ export A="[tested with 4096x A]"
$ GNUSTEP_USER_ROOT="\$A\$A/\$A/\$A/" wmaker --for-real
*** stack smashing detected ***: wmaker terminated
Aborted
2.
Way too many functions handle a return value of NULL for wexpandpath
improperly, resulting in segfaults (and maybe other problems). To
prove the existance of these issues:
Proof:
$ GNUSTEP_USER_ROOT=~nouser wmaker --for-real
wmaker error: could not get password entry for user nouser: Success
Segmentation fault
Solution:
hard exit with error message about what is going on.
3.
The improper parsing of environment variables can lead to expansion
of path names that were not intended to be expanded.
(a) If a string like "$(var" is found, Window Maker tries to expand "var"
(environment variable) although the syntax is wrong.
Proof:
$ export PROOF=foo
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
wmaker warning: could not find user GNUstep directory (/foo/Defaults/WindowMaker).
(b) If the variable out of a) cannot be resolved, a closing bracket will be
added.
Proof:
$ unset PROOF
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
./wmaker warning: could not find user GNUstep directory ($(PROOF)/Defaults/WindowMaker).
Author: Tobias Stoeckmann
Retrieved-from: http://paldium.homeunix.org/tobias/wmaker/
Submitted-by: Gilbert Ashley <amigo@ibiblio.org>
for arq in `git ls-files *.c`; do
echo $arq;
indent -linux -l115 $arq;
done
The different line break at 115 columns is because
I use a widescreen monitor :-)
- Separated the font caches for normal fonts and fontsets in WINGs (they can
have the same names and collide in the cache giving unwanted results)
- Updated the years in the copyright notices
- Also tested the backward compatibility ability of the WINGs proplist code
which seems to work quite well.
Starting with this moment, Window Maker no longer needs libPropList and is
now using the better and much more robust proplist code from WINGs. Also the
WINGs based proplist code is actively maintained while the old libPropList
code is practically dead and flawed by the fact that it borrowed concepts
from the UserDefaults which conflicted with the retain/release mechanism,
making some problems that libPropList had, practically unsolvable without a
complete redesign (which can be found in the more robust WINGs code).
