The original code used the libc "fopen" kind of operation, which are handy
when manipulating text files, but:
- bring an overhead for binary files that we don't need here;
- does not provide the mechanisms for safe error handling and special cases
As Coverity reported a Time-of-Check/Time-of-Use type of security issue,
took the opportunity to fix it and increased the size of the buffer used
for data to allow better use of modern disk performances.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
Signed-off-by: Carlos R. Mafra <crmafra@gmail.com>
As reported by coverity, calling 'wexpandpath' with a path that contains
either '$()', '$(\0' or '$\0' would cause an undefined behaviour because
the 'buffer2' would be uninitialised.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
As pointed by Coverity (#50226), the function getenv can return unreliable
data, so if a sensitive application makes uses of the function 'wgethomedir'
or 'wusergnusteppath' we'd better use the GNU function secure_getenv which
ignore environment variable when used in a known critical cases.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
As pointed by Coverity, the macro RETRY does not behave as expected, as it
assumes that errno is cleared on successful 'fopen' call which is not the
case.
This patch removes the uses of the macro RETRY:
- fopen: with the appropriate check
- fread/fwrite: nothing because they do not set errno
- fclose: nothing because retrying is not recommended
and took the opportunity to add a little bit more information in the error
messages.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
As pointed by Coverity, if the user does not a an entry in the password
file then the function would assume its home path to be "/" but still
continue and later try to check for user->pw_dir which would dereference
the NULL pointer.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
If the function was called more than once with different usernames
it would always return the path for the user on the first call,
which is not what would be expected.
Furthermore, if the function succeeds it allocated memory to save
this path but it was never freed.
The good thing is that the use case for this function is so rare
that it is improbable it was ever called, which explains why it
was never seen.
The new code always behaves as expected, and does not allocate
memory anymore to avoid wasting time and memory for such small
things, which is acceptable because this function is local.
Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
As a side note, in 'wfindfileinlist' the first argument should be:
const char * const *path_list
However, due to limited support for const in plain C, that would
introduce warnings in user code. For compatibility issues, this
was not implemented.
...in order to avoid clashes that happen during compilation of
wmakerconf.
This is a new function in WINGs, so renaming it at this point is
not a big deal.
Thanks to Rodolfo GarcĂa for the heads up.
This is essentially the fetchFile() from wcolorpanel.c from the last
commit, but renamed to a better name.
This patch just adds the function to the lib. Nobody uses it yet.
wsyserrorwithcode - Not used, no point either.
wsyserror->werror - qualifying "error" with a "type" hardly makes
sense if there are not at least two "type"s. There are not. Safe trip.
Signed-off-by: Tamas TEVESZ <ice@extreme.hu>
- make it use wings functions, remove duplicated code from getstyle
- de-static necessary functions in wings
- add new wrmdirhier to wings
- rename WMMkDirHier to wmkdirhier (fits better)
- remove calling shell from getstyle (what were they thinking?)
i couldn't quite test getstyle (no idea about themes), but it still
basically works.
do back your ~/G dir up... wrmdirhier might eat it!
definitely needs testing, especially by people who have any idea
how themes work.
Some more getstyle
- missed a shell invocation
- maybe copyFile should be in wutils too...?
[crmafra: Folded second patch into the first]
Problems:
1.
During expansion of path, the resulting path can overflow the supplied
area of PATH_MAX+2 (buffer as well as buffer2). A tampered environment
variable can be used to modify program flow.
Proof:
[note: wmaker has been compiled with propolice]
$ export A="[tested with 4096x A]"
$ GNUSTEP_USER_ROOT="\$A\$A/\$A/\$A/" wmaker --for-real
*** stack smashing detected ***: wmaker terminated
Aborted
2.
Way too many functions handle a return value of NULL for wexpandpath
improperly, resulting in segfaults (and maybe other problems). To
prove the existance of these issues:
Proof:
$ GNUSTEP_USER_ROOT=~nouser wmaker --for-real
wmaker error: could not get password entry for user nouser: Success
Segmentation fault
Solution:
hard exit with error message about what is going on.
3.
The improper parsing of environment variables can lead to expansion
of path names that were not intended to be expanded.
(a) If a string like "$(var" is found, Window Maker tries to expand "var"
(environment variable) although the syntax is wrong.
Proof:
$ export PROOF=foo
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
wmaker warning: could not find user GNUstep directory (/foo/Defaults/WindowMaker).
(b) If the variable out of a) cannot be resolved, a closing bracket will be
added.
Proof:
$ unset PROOF
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
./wmaker warning: could not find user GNUstep directory ($(PROOF)/Defaults/WindowMaker).
Author: Tobias Stoeckmann
Retrieved-from: http://paldium.homeunix.org/tobias/wmaker/
Submitted-by: Gilbert Ashley <amigo@ibiblio.org>
for arq in `git ls-files *.c`; do
echo $arq;
indent -linux -l115 $arq;
done
The different line break at 115 columns is because
I use a widescreen monitor :-)
- Separated the font caches for normal fonts and fontsets in WINGs (they can
have the same names and collide in the cache giving unwanted results)
- Updated the years in the copyright notices
- Also tested the backward compatibility ability of the WINGs proplist code
which seems to work quite well.
Starting with this moment, Window Maker no longer needs libPropList and is
now using the better and much more robust proplist code from WINGs. Also the
WINGs based proplist code is actively maintained while the old libPropList
code is practically dead and flawed by the fact that it borrowed concepts
from the UserDefaults which conflicted with the retain/release mechanism,
making some problems that libPropList had, practically unsolvable without a
complete redesign (which can be found in the more robust WINGs code).
