Bug 699657: properly apply file permissions to .tempfile

author: Chris Liddell <chris.liddell@artifex.com> 2018-08-21 20:17:05 +0100
committer: Chris Liddell <chris.liddell@artifex.com> 2018-08-23 10:23:18 +0100
commit: 0d3901189f245232f0161addf215d7268c4d05a3 (patch)
tree: 07ac290a40b1405d703fecf297a2c192df93139a
parent: c3476dde7743761a4e1d39a631716199b696b880 (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/psi/zfile.c b/psi/zfile.c
index a0acd5a2e..19996b09c 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len,
    /* we're protecting arbitrary file system accesses, not Postscript device accesses.
     * Although, note that %pipe% is explicitly checked for and disallowed elsewhere
     */
-    if (iodev != iodev_default(imemory)) {
+    if (iodev && iodev != iodev_default(imemory)) {
        return 0;
    }
@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
    }
    if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
-        if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
+        int plen = strlen(pstr);
+        const char *sep = gp_file_name_separator();
+#ifdef DEBUG
+        int seplen = strlen(sep);
+        if (seplen != 1)
+            return_error(gs_error_Fatal);
+#endif
+        /* strip off the file name prefix, leave just the directory name
+         * so we can check if we are allowed to write to it
+         */
+        for ( ; plen >=0; plen--) {
+            if (pstr[plen] == sep[0])
+                break;
+        }
+        memcpy(fname, pstr, plen);
+        fname[plen] = '\0';
+        if (check_file_permissions(i_ctx_p, fname, strlen(fname),
                                   NULL, "PermitFileWriting") < 0) {
            code = gs_note_error(gs_error_invalidfileaccess);
            goto done;
author	Chris Liddell <chris.liddell@artifex.com>	2018-08-21 20:17:05 +0100
committer	Chris Liddell <chris.liddell@artifex.com>	2018-08-23 10:23:18 +0100
commit	0d3901189f245232f0161addf215d7268c4d05a3 (patch)
tree	07ac290a40b1405d703fecf297a2c192df93139a
parent	c3476dde7743761a4e1d39a631716199b696b880 (diff)

diff --git a/psi/zfile.c b/psi/zfile.c index a0acd5a2e..19996b09c 100644 --- a/psi/zfile.c +++ b/psi/zfile.c
@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t i_ctx_p, const char fname, int len,
134	/* we're protecting arbitrary file system accesses, not Postscript device accesses.	134	/* we're protecting arbitrary file system accesses, not Postscript device accesses.
135	* Although, note that %pipe% is explicitly checked for and disallowed elsewhere	135	* Although, note that %pipe% is explicitly checked for and disallowed elsewhere
136	*/	136	*/
137	if (iodev != iodev_default(imemory)) {	137	if (iodev && iodev != iodev_default(imemory)) {
138	return 0;	138	return 0;
139	}	139	}
140		140
@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
734	}	734	}
735		735
736	if (gp_file_name_is_absolute(pstr, strlen(pstr))) {	736	if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
737	if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),	737	int plen = strlen(pstr);
		738	const char *sep = gp_file_name_separator();
		739	#ifdef DEBUG
		740	int seplen = strlen(sep);
		741	if (seplen != 1)
		742	return_error(gs_error_Fatal);
		743	#endif
		744	/* strip off the file name prefix, leave just the directory name
		745	* so we can check if we are allowed to write to it
		746	*/
		747	for ( ; plen >=0; plen--) {
		748	if (pstr[plen] == sep[0])
		749	break;
		750	}
		751	memcpy(fname, pstr, plen);
		752	fname[plen] = '\0';
		753	if (check_file_permissions(i_ctx_p, fname, strlen(fname),
738	NULL, "PermitFileWriting") < 0) {	754	NULL, "PermitFileWriting") < 0) {
739	code = gs_note_error(gs_error_invalidfileaccess);	755	code = gs_note_error(gs_error_invalidfileaccess);
740	goto done;	756	goto done;