gbranden pushed a commit to branch master
in repository groff.
commit c08b62fd2a812e4d390ebf65d6c7d337d512d2b4
Author: G. Branden Robinson <[email protected]>
AuthorDate: Mon Aug 21 06:35:49 2023 -0500
[grops]: Fix Savannah #64577 (file diagnostics).
* src/devices/grops/ps.cpp (ps_printer::define_encoding):
* src/devices/grops/psrm.cpp (resource_manager::output_prolog)
(resource_manager::supply_resource): Report more intelligible
diagnostics when libgroff's `font::open_file()` returns a null pointer
without setting `errno`. The only way this can happen is if it
rejected the file name for containing a slash, thus attempting
directory traversal (recall Savannah #61424). Also fix code style
nits: explicitly `#include` errno.h C standard library header, align
style of null pointer checks, and stop explicitly setting `errno` to
zero before (indirectly) calling `fopen()`; we inspect `errno`'s value
only under a documented error condition (a null stream pointer). See
errno(3).
* NEWS: Add item; we should have mentioned this (and produced these
better diagnostics) when 1.23.0 was released. Distributors may find
this change desirable to backport.
Fixes <https://savannah.gnu.org/bugs/?64577>. Thanks to Phil Chadwick
for the report and Deri James for swiftly finding a correct workaround
that suited the reporter.
---
ANNOUNCE | 1 +
ChangeLog | 23 +++++++++++++++++++++++
NEWS | 9 +++++++++
src/devices/grops/ps.cpp | 9 ++++++++-
src/devices/grops/psrm.cpp | 25 ++++++++++++++++++-------
5 files changed, 59 insertions(+), 8 deletions(-)
diff --git a/ANNOUNCE b/ANNOUNCE
index ba37d6cee..dbde44677 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -186,6 +186,7 @@ Michał Kruszewski
Mike Fulton
Nikita Ivanov
Peter Schaffter
+Phil Chadwick
Ralph Corderoy
Thorsten Glaser
наб
diff --git a/ChangeLog b/ChangeLog
index 686a1ad45..fb7301878 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,26 @@
+2023-08-21 G. Branden Robinson <[email protected]>
+
+ * src/devices/grops/ps.cpp (ps_printer::define_encoding):
+ * src/devices/grops/psrm.cpp (resource_manager::output_prolog)
+ (resource_manager::supply_resource): Report more intelligible
+ diagnostics when libgroff's `font::open_file()` returns a null
+ pointer without setting `errno`. The only way this can happen
+ is if it rejected the file name for containing a slash, thus
+ attempting directory traversal (recall Savannah #61424). Also
+ fix code style nits: explicitly `#include` errno.h C standard
+ library header, align style of null pointer checks, and stop
+ explicitly setting `errno` to zero before (indirectly) calling
+ `fopen()`; we inspect `errno`'s value only under a documented
+ error condition (a null stream pointer). See errno(3).
+
+ * NEWS: Add item; we should have mentioned this (and produced
+ these better diagnostics) when 1.23.0 was released.
+ Distributors may find this change desirable to backport.
+
+ Fixes <https://savannah.gnu.org/bugs/?64577>. Thanks to Phil
+ Chadwick for the report and Deri James for swiftly finding a
+ correct workaround that suited the reporter.
+
2023-08-19 G. Branden Robinson <[email protected]>
* src/roff/troff/node.cpp (class tfont_spec): Stop declaring
diff --git a/NEWS b/NEWS
index 1476492e6..e8f62b3c1 100644
--- a/NEWS
+++ b/NEWS
@@ -624,6 +624,15 @@ o On output devices using the Latin-1 character encoding
("groff -T
sequences like `this' in the input (character remapping with 'char'
requests and similar notwithstanding).
+o The grops driver (which produces PostScript), like the `fp` request
+ in the troff formatter (see above), no longer no longer accepts file
+ names with slashes in them as a document prologue, encoding file, or
+ resource (such as a font to be downloaded). All such files must be
+ accessible within the directory of the output device for which they
+ were prepared. Use the GROFF_FONT_PATH environment variable or
+ groff's "-F" command-line option to specify additional directories in
+ which such files should be sought.
+
gropdf
------
diff --git a/src/devices/grops/ps.cpp b/src/devices/grops/ps.cpp
index 33fce911c..e047fa85c 100644
--- a/src/devices/grops/ps.cpp
+++ b/src/devices/grops/ps.cpp
@@ -31,6 +31,8 @@ along with this program. If not, see
<http://www.gnu.org/licenses/>. */
#include "curtime.h"
#include "ps.h"
+
+#include <errno.h> // errno
#include <time.h>
#ifdef NEED_DECLARATION_PUTENV
@@ -788,8 +790,13 @@ void ps_printer::define_encoding(const char *encoding, int
encoding_index)
vec[i] = 0;
char *path;
FILE *fp = font::open_file(encoding, &path);
- if (fp == 0)
+ if (0 /* nullptr */ == fp) {
+ // If errno not valid, assume file rejected due to '/'.
+ if (errno <= 0)
+ fatal("refusing to traverse directories to open PostScript"
+ " encoding file '%1'");
fatal("can't open encoding file '%1'", encoding);
+ }
int lineno = 1;
const int BUFFER_SIZE = 512;
char buf[BUFFER_SIZE];
diff --git a/src/devices/grops/psrm.cpp b/src/devices/grops/psrm.cpp
index 3c9a8b7b9..226375085 100644
--- a/src/devices/grops/psrm.cpp
+++ b/src/devices/grops/psrm.cpp
@@ -22,6 +22,8 @@ along with this program. If not, see
<http://www.gnu.org/licenses/>. */
#include "ps.h"
+#include <errno.h> // errno
+
#ifdef NEED_DECLARATION_PUTENV
extern "C" {
int putenv(const char *);
@@ -316,9 +318,14 @@ void resource_manager::output_prolog(ps_output &out)
}
char *prologue = getenv("GROPS_PROLOGUE");
FILE *fp = font::open_file(prologue, &path);
- if (!fp)
- fatal("failed to open PostScript prologue '%1': %2", prologue,
+ if (0 /* nullptr */ == fp) {
+ // If errno not valid, assume file rejected due to '/'.
+ if (errno <= 0)
+ fatal("refusing to traverse directories to open PostScript"
+ " prologue file '%1'");
+ fatal("failed to open PostScript prologue file '%1': %2", prologue,
strerror(errno));
+ }
fputs("%%BeginResource: ", outfp);
procset_resource->print_type_and_name(outfp);
putc('\n', outfp);
@@ -353,17 +360,21 @@ void resource_manager::supply_resource(resource *r, int
rank,
if (r->filename != 0 /* nullptr */) {
if (r->type == RESOURCE_FONT) {
fp = font::open_file(r->filename, &path);
- if (!fp) {
- error("failed to open PostScript resource '%1': %2",
- r->filename, strerror(errno));
+ if (0 /* nullptr */ == fp) {
+ // If errno not valid, assume file rejected due to '/'.
+ if (errno <= 0)
+ error("refusing to traverse directories to open PostScript"
+ " resource file '%1'");
+ else
+ error("failed to open PostScript resource file '%1': %2",
+ r->filename, strerror(errno));
delete[] r->filename;
r->filename = 0 /* nullptr */;
}
}
else {
- errno = 0;
fp = include_search_path.open_file_cautious(r->filename);
- if (!fp) {
+ if (0 /* nullptr */ == fp) {
error("can't open '%1': %2", r->filename, strerror(errno));
delete[] r->filename;
r->filename = 0 /* nullptr */;
_______________________________________________
Groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit
