# ------------------------------------------------------------------------------ # CHANGES | 12 ++++++++++++ # src/HTInit.c | 23 ++++++++++++----------- # src/LYUtils.c | 9 ++++++--- # src/LYUtils.h | 6 ++++++ # 4 files changed, 36 insertions(+), 14 deletions(-) # ------------------------------------------------------------------------------ Index: CHANGES --- lynx2.8.4rel.1d+/CHANGES 2006-11-15 23:38:55.000000000 +0000 +++ lynx2.8.4rel.1e/CHANGES 2006-11-16 00:12:03.000000000 +0000 @@ -1,6 +1,18 @@ Changes since Lynx 2.8 release =============================================================================== +2006-11-15 (2.8.4rel.1e from 2.8.7dev.2 and 2.8.7dev.3) +* limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found + relative to the user's home directory. This change is less flexible than the + development version, but simpler to implement. The check to ensure that + the files are controlled by the user is retained (Redhat #214205) -TD +* ensure that the configured values for PERSONAL_EXTENSION_MAP and + PERSONAL_MAILCAP are absolute pathnames -TD +* modify logic for reading PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to + ensure that they are files that are controlled only by the user. The + default values for these allow lynx to read configuration information + from the user's current directory at lynx's startup (Debian #396949) -TD + extracted from 2002-09-12 (2.8.5dev.9) * correct inverted logic of restrictions table which made "-restrict=default" provide incorrect values for several items. This was broken in 2.8.4dev.19 Index: src/HTInit.c --- lynx2.8.4rel.1d+/src/HTInit.c 2001-06-03 21:17:35.000000000 +0000 +++ lynx2.8.4rel.1e/src/HTInit.c 2006-11-16 00:11:21.000000000 +0000 @@ -157,13 +157,14 @@ /* * Load the local maps. */ - if (LYCanReadFile(personal_type_map)) { - /* These should override everything else. */ - HTLoadTypesConfigFile(personal_type_map); - } else { + { char buffer[LY_MAXPATH]; + LYAddPathToHome(buffer, sizeof(buffer), personal_type_map); - HTLoadTypesConfigFile(buffer); + if (IsOurFile(buffer) + && LYCanReadFile(buffer)) { + HTLoadTypesConfigFile(buffer); + } } /* @@ -1050,14 +1051,14 @@ /* These should override the default extensions as necessary. */ HTLoadExtensionsConfigFile(global_extension_map); - if (LYCanReadFile(personal_extension_map)) { - /* These should override everything else. */ - HTLoadExtensionsConfigFile(personal_extension_map); - } else { + { char buffer[LY_MAXPATH]; + LYAddPathToHome(buffer, sizeof(buffer), personal_extension_map); - /* These should override everything else. */ - HTLoadExtensionsConfigFile(buffer); + if (IsOurFile(personal_extension_map) + && LYCanReadFile(personal_extension_map)) { + HTLoadExtensionsConfigFile(buffer); + } } } Index: src/LYUtils.c --- lynx2.8.4rel.1d+/src/LYUtils.c 2006-11-15 23:38:55.000000000 +0000 +++ lynx2.8.4rel.1e/src/LYUtils.c 2006-11-16 00:17:02.000000000 +0000 @@ -6293,12 +6293,14 @@ * special case of its directory being pointed to by a link from a directory * owned by root and not writable by other users. */ -PRIVATE BOOL IsOurFile ARGS1(char *, name) +PUBLIC BOOL IsOurFile ARGS1(CONST char *, name) { + BOOL result = FALSE; struct stat data; if (lstat(name, &data) == 0 && S_ISREG(data.st_mode) + && (data.st_mode & (S_IWOTH | S_IWGRP)) == 0 && data.st_nlink == 1 && data.st_uid == getuid()) { int linked = FALSE; @@ -6347,9 +6349,10 @@ } while (leaf != path); FREE(path); #endif - return !linked; + result = !linked; } - return FALSE; + CTRACE((tfp, "IsOurFile(%s) %d\n", name, result)); + return result; } /* Index: src/LYUtils.h --- lynx2.8.4rel.1d+/src/LYUtils.h 2001-06-03 21:17:35.000000000 +0000 +++ lynx2.8.4rel.1e/src/LYUtils.h 2006-11-16 00:14:25.000000000 +0000 @@ -147,6 +147,12 @@ extern void statusline PARAMS((CONST char *text)); extern void toggle_novice_line NOPARAMS; +#if defined(UNIX) +extern BOOL IsOurFile PARAMS((CONST char *name)); +#else +#define IsOurFile(name) TRUE +#endif + /* Keeping track of User Interface Pages: */ typedef enum { UIP_UNKNOWN=-1