Date: Sat, 4 Feb 2006 05:18:00 -0000 From: Shaun Amott <shaun@inerd.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/92787: [PATCH] Fix ftp/IglooFTP Message-ID: <1139030280.34496@charon.picobyte.net> Resent-Message-ID: <200602040520.k145K3Q4095179@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 92787 >Category: ports >Synopsis: [PATCH] Fix ftp/IglooFTP >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Feb 04 05:20:02 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Shaun Amott >Release: FreeBSD 6.0-STABLE i386 >Organization: >Environment: System: FreeBSD 6.0-STABLE >Description: IglooFTP - Add patches (unbreak port) - Fix "chunk already allocated" error I wasn't personally able to make the program "crash at startup", but I think I have fixed the issue that was causing the error. This is why the port was marked IGNORE. - Add sanity checking to avoid GTK assertion errors due to missing pixmaps. - Resolve two known vulnerabilities: http://secunia.com/advisories/13536/ - Replace tmpnam with mkstemp - Disallow server-provided absolute filenames Hopefully that's enough to get the port back in action. - Shaun >How-To-Repeat: >Fix: --- IglooFTP-0.6.1.diff begins here --- diff -urN IglooFTP.orig/Makefile IglooFTP/Makefile --- IglooFTP.orig/Makefile Sun Dec 4 21:12:57 2005 +++ IglooFTP/Makefile Sat Feb 4 04:49:08 2006 @@ -17,10 +17,6 @@ MAINTAINER= ports@FreeBSD.org COMMENT= Easy to use FTP client for X Window System -IGNORE= crashes at startup -DEPRECATED= ${IGNORE} -EXPIRATION_DATE=2006-02-04 - WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}/src USE_X_PREFIX= yes diff -urN IglooFTP.orig/files/patch-ad IglooFTP/files/patch-ad --- IglooFTP.orig/files/patch-ad Thu Jan 1 01:00:00 1970 +++ IglooFTP/files/patch-ad Sat Feb 4 01:32:50 2006 @@ -0,0 +1,10 @@ +--- dir_tree.c.orig Thu Apr 15 17:05:14 1999 ++++ dir_tree.c Thu Feb 2 02:26:20 2006 +@@ -153,7 +153,6 @@ + new_ptr[0] = 'B'; + gtk_ctree_node_set_row_data_full (ctree, parent, strdup (new_ptr), (GtkDestroyNotify) free); + free (new_ptr); +- free (ptr); // verify that this is a good thing to do + + PARENT_BROWSED_FLAG = TRUE; + } diff -urN IglooFTP.orig/files/patch-ae IglooFTP/files/patch-ae --- IglooFTP.orig/files/patch-ae Thu Jan 1 01:00:00 1970 +++ IglooFTP/files/patch-ae Sat Feb 4 01:29:11 2006 @@ -0,0 +1,70 @@ +--- dialog.c.orig Thu Apr 15 17:05:14 1999 ++++ dialog.c Thu Feb 2 16:40:36 2006 +@@ -112,10 +112,15 @@ + gtk_widget_set_usize (fixed_top, 353, 225); + + sprintf (pixmap_path, "%s/xpm/iglooftp.xpm", SHARE_PATH); +- pixmap = gdk_pixmap_create_from_xpm (startup_window->window, &mask, &startup_window->style->bg[GTK_STATE_NORMAL], pixmap_path); +- igloo_pixmap = gtk_pixmap_new (pixmap, mask); + +- gtk_fixed_put (GTK_FIXED (fixed_top), igloo_pixmap, 0, 0); ++ if (eaccess(pixmap_path, R_OK) == 0) { ++ pixmap = gdk_pixmap_create_from_xpm (startup_window->window, &mask, &startup_window->style->bg[GTK_STATE_NORMAL], pixmap_path); ++ igloo_pixmap = gtk_pixmap_new (pixmap, mask); ++ ++ gtk_fixed_put (GTK_FIXED (fixed_top), igloo_pixmap, 0, 0); ++ } else { ++ mask = pixmap = NULL; ++ } + + startup_label = fixed_label (fixed_top, 10, 205, " "); + gtk_widget_set_usize (startup_label, 300, 24); +@@ -126,8 +131,8 @@ + gtk_widget_show_all (startup_window); + + PROCESS_EVENTS; +- gdk_pixmap_unref (pixmap); +- gdk_pixmap_unref (mask); ++ if (pixmap) gdk_pixmap_unref (pixmap); ++ if (mask) gdk_pixmap_unref (mask); + } + + +@@ -173,14 +178,22 @@ + alert_hbox = h_box (alert_vbox, FALSE, 0, 0); + + sprintf (pixmap_path, "%s/xpm/little_igloo.xpm", SHARE_PATH); +- pixmap = gdk_pixmap_create_from_xpm (alert_window->window, &mask, &alert_window->style->bg[GTK_STATE_NORMAL], pixmap_path); +- igloo_pixmap = gtk_pixmap_new (pixmap, mask); ++ ++ if (eaccess(pixmap_path, R_OK) == 0) { ++ pixmap = gdk_pixmap_create_from_xpm (alert_window->window, &mask, &alert_window->style->bg[GTK_STATE_NORMAL], pixmap_path); ++ igloo_pixmap = gtk_pixmap_new (pixmap, mask); ++ } else { ++ pixmap = mask = NULL; ++ } + + alert_button = gtk_button_new (); + gtk_button_set_relief (GTK_BUTTON (alert_button), GTK_RELIEF_NONE); + +- gtk_container_add (GTK_CONTAINER (alert_button), igloo_pixmap); +- gtk_widget_show (igloo_pixmap); ++ if (pixmap) { ++ gtk_container_add (GTK_CONTAINER (alert_button), igloo_pixmap); ++ gtk_widget_show (igloo_pixmap); ++ } ++ + gtk_box_pack_start (GTK_BOX (alert_hbox), alert_button, TRUE, TRUE, 0); + gtk_widget_show (alert_button); + gtk_signal_connect (GTK_OBJECT (alert_button), "clicked", GTK_SIGNAL_FUNC (open_URL_from_widget), strdup (HOME_URL)); +@@ -198,8 +211,8 @@ + + gtk_widget_show (alert_window); + +- gdk_pixmap_unref (pixmap); +- gdk_pixmap_unref (mask); ++ if (pixmap) gdk_pixmap_unref (pixmap); ++ if (mask) gdk_pixmap_unref (mask); + } + + diff -urN IglooFTP.orig/files/patch-af IglooFTP/files/patch-af --- IglooFTP.orig/files/patch-af Thu Jan 1 01:00:00 1970 +++ IglooFTP/files/patch-af Sat Feb 4 04:38:01 2006 @@ -0,0 +1,272 @@ +--- FTPcommands.h.orig Thu Apr 15 17:05:15 1999 ++++ FTPcommands.h Sat Feb 4 01:12:52 2006 +@@ -14,8 +14,12 @@ + * + */ + ++#include "defines.h" ++ + #define ERROR_REPLY_CODE (FTPctrl->reply[0] == '5' || FTPctrl->reply[0] == '4') + ++extern char tmpfile_template[]; ++ + + + /* LOGIN */ +@@ -282,11 +286,14 @@ + char + FTP_LIST (FTP * FTPctrl, char *filename) + { ++ int fd = -1; + char tmp_filename[256]; + char list_command[10]; + int data_socket = FTP_open_data_connection (FTPctrl); + FILE *local; + ++ sprintf(tmp_filename, tmpfile_template); ++ + if (FTPctrl->host_type == HOST_VMS) + strcpy (list_command, "LIST"); + else +@@ -296,11 +303,18 @@ + + FTP_TYPE_ASCII (FTPctrl); + +- tmpnam (tmp_filename); + if (!FTP_exec_command (FTPctrl, list_command) || ERROR_REPLY_CODE) + return FTP_error (FALSE, "LIST command failed.", "", data_socket); + +- local = fopen (tmp_filename, "w"); ++ if ((fd = mkstemp (tmp_filename)) == -1 || (local = fdopen (fd, "w")) == NULL) ++ { ++ if (fd != -1) { ++ unlink(tmp_filename); ++ close(fd); ++ } ++ return FTP_error (FALSE, "Unable to create temporary file.", "", 0); ++ } ++ + if (!FTP_download (FTPctrl, data_socket, local)) + return FTP_error (FALSE, "Unable to retreive directory listing. ", "", data_socket); + +--- custom_profiles.h.orig Thu Apr 15 17:05:15 1999 ++++ custom_profiles.h Sat Feb 4 00:59:51 2006 +@@ -169,6 +169,7 @@ + static void + delete_user_prof_from_file (GtkWidget * widget, gpointer data) + { ++ int fd = -1; + const int remove_this_one = (int) GTK_CLIST (clist)->selection->data; + char tmp_filename[256]; + char prof_path[1024]; +@@ -180,9 +181,21 @@ + + gtk_widget_destroy (gtk_widget_get_toplevel (widget)); + sprintf (prof_path, "%s/%s/%s", home_path, PREFERENCES_PATH, USER_PROF); +- tmpnam (tmp_filename); ++ sprintf (tmp_filename, "%s.%s", prof_path, "tmp.XXXXXXXX"); ++ ++ if ((fd = mkstemp (tmp_filename)) == -1) { ++ DEBUG("Unable to create temporary file."); ++ return; ++ } ++ ++ close (fd); ++ + rename (prof_path, tmp_filename); +- file_handle = open (tmp_filename, O_RDONLY, RC_PERM); ++ ++ if ((file_handle = open (tmp_filename, O_RDONLY|O_EXCL, RC_PERM)) == -1) { ++ DEBUG("Unable to create temporary file."); ++ return; ++ } + + for (index = 0; index < index_total; index++) + { +--- defines.h.orig Thu Apr 15 17:05:15 1999 ++++ defines.h Sat Feb 4 01:10:47 2006 +@@ -47,6 +47,9 @@ + #define SHARE_PATH "/usr/local/src/IglooFTP" + #endif + ++#define TMPFILE_FILE "IglooFTP.tmp.XXXXXXXX" ++char tmpfile_template[256]; ++ + + #define PREFERENCES_PATH ".IglooFTP" + #define USER_LAYOUT "user.layout" +--- dirlist.c.orig Thu Apr 15 17:05:14 1999 ++++ dirlist.c Fri Feb 3 23:20:24 2006 +@@ -1619,6 +1619,7 @@ + upload_selection_recursive (void) + { + ++ int fd = -1; + GdkColor done_color = GREYCYAN; + GdkColormap *colormap; + GList *selection = GTK_CLIST (clist)->selection; +@@ -1635,8 +1636,15 @@ + + getcwd (current_local_dir, sizeof (current_local_dir)); + +- tmpnam (tmp_filename); +- tmp = fopen (tmp_filename, "w"); ++ if ((fd = mkstemp (tmp_filename)) == -1 || (tmp = fdopen (fd, "w")) == NULL) ++ { ++ if (fd != -1) { ++ unlink(tmp_filename); ++ close(fd); ++ } ++ DEBUG("Unable to create temporary file."); ++ return; ++ } + + colormap = gtk_widget_get_colormap (window); + gdk_color_alloc (colormap, &done_color); +--- ftplist.c.orig Thu Apr 15 17:05:15 1999 ++++ ftplist.c Sat Feb 4 01:15:59 2006 +@@ -1189,6 +1189,15 @@ + IDLE_END; + CHECK_CONNEXION_VOID; + ++ /* Is it worth trying to handle this better? */ ++ ++ char msg_buf[1024]; ++ if ((strchr(filename, '/') != NULL) || (strstr(filename, "..") != NULL)) { ++ snprintf (msg_buf, sizeof(msg_buf), "Skipping non-relative filename: %s", filename); ++ error_message (msg_buf); ++ return; ++ } ++ + if (IGLOO_download (filename, filesize, filedate, NULL)) + { + char that_path[1024]; +@@ -1255,6 +1264,7 @@ + static void + perfom_recursive_command_on_selection (char recursive_command, char *optionnal_arg, char IS_TOP_DIR) + { ++ int fd = -1; + GList *selection = GTK_CLIST (clist)->selection; + gchar *filename; + gchar *fileperm; +@@ -1265,9 +1275,17 @@ + char DIR_FOUND_IN_SELECTION = FALSE; + char *current_remote_dir = strdup (this_session.cwd_dir); + +- tmpnam (tmp_filename); +- tmp = fopen (tmp_filename, "w"); ++ sprintf(tmp_filename, tmpfile_template); + ++ if ((fd = mkstemp (tmp_filename)) == -1 || (tmp = fdopen (fd, "w")) == NULL) ++ { ++ if (fd != -1) { ++ unlink(tmp_filename); ++ close(fd); ++ } ++ DEBUG("Unable to create temporary file."); ++ return; ++ } + + while (selection && (!want_abort)) + { +@@ -1710,6 +1728,7 @@ + static char + download_selection_recursive (void) + { ++ int fd = -1; + GdkColor done_color = GREYCYAN; + GdkColormap *colormap; + GList *selection = GTK_CLIST (clist)->selection; +@@ -1725,10 +1744,19 @@ + char *current_remote_dir = strdup (this_session.cwd_dir); + char current_local_dir[1024]; + ++ sprintf(tmp_filename, tmpfile_template); ++ + getcwd (current_local_dir, sizeof (current_local_dir)); + +- tmpnam (tmp_filename); +- tmp = fopen (tmp_filename, "w"); ++ if ((fd = mkstemp (tmp_filename)) == -1 || (tmp = fdopen (fd, "w")) == NULL) ++ { ++ if (fd != -1) { ++ unlink(tmp_filename); ++ close(fd); ++ } ++ DEBUG("Unable to create temporary file."); ++ return FALSE; ++ } + + colormap = gtk_widget_get_colormap (window); + gdk_color_alloc (colormap, &done_color); +@@ -1748,6 +1776,18 @@ + gtk_clist_get_text (GTK_CLIST (clist), index, 2, &filesize); + gtk_clist_get_text (GTK_CLIST (clist), index, 3, &filedate); + gtk_clist_get_text (GTK_CLIST (clist), index, 4, &fileperm); ++ ++ /* Basic sanity checks */ ++ ++ char msg_buf[1024]; ++ if ((strchr(filename, '/') != NULL) || (strstr(filename, "..") != NULL)) { ++ snprintf (msg_buf, sizeof(msg_buf), "Skipping non-relative filename: %s", filename); ++ error_message (msg_buf); ++ selection = selection->next; ++ gtk_clist_unselect_row (GTK_CLIST (clist), index, 0); ++ gtk_clist_moveto (GTK_CLIST (clist), index, 0, 0.5, 0); ++ continue; ++ } + + if (fileperm[0] != 'd') + { +--- main.c.orig Fri Feb 3 23:52:15 2006 ++++ main.c Sat Feb 4 01:23:16 2006 +@@ -109,6 +109,18 @@ + fpsetmask(0); + #endif + ++ char *td; ++ if ((td = getenv("TMPDIR")) != NULL && strlen(td) != 0) { ++ if (td[strlen(td)-1] == '/') ++ strncpy(tmpfile_template, td, strlen(td)-1); ++ else ++ strncpy(tmpfile_template, td, strlen(td)); ++ } else { ++ strcpy(tmpfile_template, "/tmp"); ++ } ++ strncat(tmpfile_template, "/", sizeof(tmpfile_template)); ++ strncat(tmpfile_template, TMPFILE_FILE, sizeof(tmpfile_template)); ++ + gtk_set_locale (); + gtk_init (&argc, &argv); + +--- session.c.orig Thu Apr 15 17:05:15 1999 ++++ session.c Fri Feb 3 23:20:24 2006 +@@ -32,7 +32,8 @@ + { + FILE *out = NULL; + FTPsession that_session; +- int file_handle; ++ int fd = -1; ++ FILE *file_handle = NULL; + char tmp_filename[MPLEN]; + char spawn_tmp[MPLEN]; + +@@ -41,8 +42,16 @@ + + strcpy (that_session.start_dir, this_session.cwd_dir); + +- tmpnam (tmp_filename); +- file_handle = open (tmp_filename, O_CREAT | O_RDWR, RC_PERM); ++ if ((fd = mkstemp (tmp_filename)) == -1 || (file_handle = fdopen (fd, "w")) == NULL) ++ { ++ if (fd != -1) { ++ unlink(tmp_filename); ++ close(fd); ++ } ++ DEBUG("Unable to create temporary file."); ++ return; ++ } ++ + write (file_handle, &that_session, sizeof (FTPsession)); + close (file_handle); + --- IglooFTP-0.6.1.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1139030280.34496>