head 1.1; access; symbols OPENPKG_1_1_SOLID:1.1.0.2; locks; strict; comment @# @; 1.1 date 2003.06.03.12.11.19; author thl; state dead; branches 1.1.2.1; next ; 1.1.2.1 date 2003.06.03.12.11.19; author thl; state Exp; branches; next ; desc @@ 1.1 log @file ghostscript.patch was initially added on branch OPENPKG_1_1_SOLID. @ text @@ 1.1.2.1 log @SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands @ text @a0 104 --- gs7.04/src/zfile.c.orig Wed Jan 30 21:08:31 2002 +++ gs7.04/src/zfile.c Tue Jun 3 12:58:31 2003 @@@@ -53,7 +53,7 @@@@ extern const char iodev_dtype_stdio[]; /* Forward references: file name parsing. */ -private int parse_file_name(P2(const ref * op, gs_parsed_file_name_t * pfn)); +private int parse_file_name(P3(const ref * op, gs_parsed_file_name_t * pfn, bool safemode)); private int parse_real_file_name(P4(const ref * op, gs_parsed_file_name_t * pfn, gs_memory_t *mem, client_name_t cname)); @@@@ -153,20 +153,6 @@@@ /* recognized as a file name separator as on DOS & Windows */ const char *filenamesep = gp_file_name_concat_string("\\", 1); - /* - * We can't know where we will get to if we reference the parent - * directory, so don't allow access if LockFilePermissions is true - * Also check here for the %pipe device which is illegal when - * LockFilePermissions is true. In the future we might want to allow - * the %pipe device to be included on the PermitFile... paths, but - * for now it is simply disallowed. - */ - if (i_ctx_p->LockFilePermissions && - (gp_file_name_references_parent(fname, len) || - string_match(fname, len, "%pipe*", 5, NULL)) - ) { - return e_invalidfileaccess; - } if (dict_find_string(&(i_ctx_p->userparams), permitgroup, &permitlist) <= 0) return 0; /* if Permissions not found, just allow access */ for (i=0; iLockFilePermissions); if (code < 0) return code; /* @@@@ -382,7 +368,7 @@@@ if (pname1.iodev != pname2.iodev || (check_file_permissions(i_ctx_p, pname1.fname, pname1.len, "PermitFileControl") < 0 && - !file_is_tempfile(i_ctx_p, op - 1) < 0) || + !file_is_tempfile(i_ctx_p, op - 1)) || check_file_permissions(i_ctx_p, pname2.fname, pname2.len, "PermitFileControl") < 0 || check_file_permissions(i_ctx_p, pname2.fname, pname2.len, @@@@ -422,7 +408,7 @@@@ { gs_parsed_file_name_t pname; struct stat fstat; - int code = parse_file_name(op, &pname); + int code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions); if (code < 0) return code; @@@@ -558,7 +544,7 @@@@ stream *s; check_ostack(2); - code = parse_file_name(op, &pname); + code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions); if (code < 0) return code; if (pname.iodev == NULL) @@@@ -609,7 +595,7 @@@@ } } if (code < 0) { - if (code == e_VMerror) + if (code == e_VMerror || code == e_invalidfileaccess) return code; push(1); make_false(op); @@@@ -712,11 +698,24 @@@@ /* Parse a file name into device and individual name. */ /* See gsfname.c for details. */ private int -parse_file_name(const ref * op, gs_parsed_file_name_t * pfn) +parse_file_name(const ref * op, gs_parsed_file_name_t * pfn, bool safemode) { + int code; + check_read_type(*op, t_string); - return gs_parse_file_name(pfn, (const char *)op->value.const_bytes, + code = gs_parse_file_name(pfn, (const char *)op->value.const_bytes, r_size(op)); + if (code < 0) + return code; + /* + * Check here for the %pipe device which is illegal when + * LockFilePermissions is true. In the future we might want to allow + * the %pipe device to be included on the PermitFile... paths, but + * for now it is simply disallowed. + */ + if (pfn->iodev && safemode && strcmp(pfn->iodev->dname, "%pipe%") == 0) + return e_invalidfileaccess; + return code; } /* Parse a real (non-device) file name and convert to a C string. */ @