Hello,
The following diffs fix two things regarding the css tools in dspam:
* Create the temporary file in the database directory instead of /tmp/<pid>
_hash_drv_open() happily follows symbolic links so this can be considered
as a vulnerability,
* Keep the database header so that stats aren't cleared and so that
csscompress can actually work.
Originally reported for cssclean by Doug Hardie on the DSpam mailing list.
Submitted upstream.
Best regards,
--
Frank Denis - frank [at] nailbox.fr - Young Nails / Akzentz nail tech
http://forum.manucure.info - http://www.manucure-pro.com
$OpenBSD$
--- src/tools.hash_drv/cssclean.c.orig Sat May 13 14:17:31 2006
+++ src/tools.hash_drv/cssclean.c Mon Jul 31 13:43:07 2006
@@ -100,7 +100,7 @@ int cssclean(const char *filename) {
struct _hash_drv_map old, new;
hash_drv_spam_record_t rec;
unsigned long filepos;
- char newfile[128];
+ char newfile[PATH_MAX];
unsigned long hash_rec_max = HASH_REC_MAX;
unsigned long max_seek = HASH_SEEK_MAX;
@@ -123,7 +123,8 @@ int cssclean(const char *filename) {
if (READ_ATTRIB("HashMaxSeek"))
max_seek = strtol(READ_ATTRIB("HashMaxSeek"), NULL, 0);
- snprintf(newfile, sizeof(newfile), "/tmp/%u.css", (unsigned int) getpid());
+ snprintf(newfile, sizeof(newfile), "%s/%u.css", dirname(filename),
+ (unsigned int) getpid());
if (_hash_drv_open(filename, &old, 0, max_seek,
max_extents, extent_size, flags))
@@ -159,6 +160,7 @@ int cssclean(const char *filename) {
filepos += sizeof(struct _hash_drv_header);
}
+ memcpy(new.header, old.header, sizeof(struct _hash_drv_header));
_hash_drv_close(&new);
_hash_drv_close(&old);
rename(newfile, filename);
$OpenBSD$
--- src/tools.hash_drv/csscompress.c.orig Sat May 13 14:17:31 2006
+++ src/tools.hash_drv/csscompress.c Mon Jul 31 13:44:33 2006
@@ -102,7 +102,7 @@ int csscompress(const char *filename) {
struct _hash_drv_map old, new;
hash_drv_spam_record_t rec;
unsigned long filepos;
- char newfile[128];
+ char newfile[PATH_MAX];
unsigned long hash_rec_max = HASH_REC_MAX;
unsigned long max_seek = HASH_SEEK_MAX;
@@ -125,7 +125,7 @@ int csscompress(const char *filename) {
if (READ_ATTRIB("HashMaxSeek"))
max_seek = strtol(READ_ATTRIB("HashMaxSeek"), NULL, 0);
- snprintf(newfile, sizeof(newfile), "/tmp/%u.css", (unsigned int) getpid());
+ snprintf(newfile, sizeof(newfile), "/%s/%u.css", dirname(filename),
(unsigned int) getpid());
if (_hash_drv_open(filename, &old, 0, max_seek,
max_extents, extent_size, flags))
$OpenBSD$
--- src/tools.hash_drv/cssconvert.c.orig Sat May 13 14:17:31 2006
+++ src/tools.hash_drv/cssconvert.c Mon Jul 31 13:45:12 2006
@@ -107,7 +107,7 @@ int cssconvert(const char *filename) {
struct _hash_drv_map old, new;
hash_drv_spam_record_t rec;
unsigned long filepos;
- char newfile[128];
+ char newfile[PATH_MAX];
unsigned long hash_rec_max = HASH_REC_MAX;
unsigned long max_seek = HASH_SEEK_MAX;
@@ -130,7 +130,7 @@ int cssconvert(const char *filename) {
if (READ_ATTRIB("HashMaxSeek"))
max_seek = strtol(READ_ATTRIB("HashMaxSeek"), NULL, 0);
- snprintf(newfile, sizeof(newfile), "/tmp/%u.css", (unsigned int) getpid());
+ snprintf(newfile, sizeof(newfile), "/%s/%u.css", dirname(filename),
(unsigned int) getpid());
if (_hash_drv_open(filename, &old, 0, max_seek,
max_extents, extent_size, flags))
