Re: Adding pledge() to www/lynx

[Frederic Cambus]

On Tue, Mar 29, 2016 at 04:32:40PM +0100, Stuart Henderson wrote:
> I've run into a slight problem with the lynx pledging. If there's a
> ~/.mailcap entry for a mimetype, lynx uses it to try and display the
> file, for example I have
> 
> application/pdf;        mutt_bgrun mupdf '%s'; nametemplate=%s.pdf
> 
> (mutt_bgrun is the old script from 
> http://www.spocom.com/users/gjohnson/mutt/mutt_bgrun)
> so with this, following a link that ends up in a pdf results in lynx
> being killed by pledge.
>

Indeed, I was able to reproduce the issue locally, and that's something
I initially missed. It doesn't seem to be possible to disable this
behavior using an hardcoded boolean like in the previous patches.

What we could do is return early in the LYSystem function so that no
external command is ever called. It's not perfect as in the case you
mentioned, there is no error message reported and lynx doesn't offer
to save the file on disk. But that would also prevent future unpleasant
discoveries like this one, as while investigating, I found another
possible case of 'proc' + 'exec' use : it's possible to define an
external editor which will be executed if you press the 'e' key when
invoking lynx with a local file as argument, for example:
lynx index.html

Here is a patch hardcoding 'no_editor = TRUE' before calling pledge
so calling the editor is disabled with a proper error message, and
returning early in LYSystem. It might be better to return an error
code different than zero, in order to possibly trigger error
messages display?

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/lynx/Makefile,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 Makefile
--- Makefile    12 Mar 2016 14:29:13 -0000      1.24
+++ Makefile    13 Apr 2016 10:40:36 -0000
@@ -5,7 +5,7 @@ PL =            8
 COMMENT =      text web browser
 DISTNAME =     lynx${V}dev.${PL}
 PKGNAME =      lynx-${V}pl${PL}
-REVISION =     2
+REVISION =     3
 EXTRACT_SUFX = .tar.bz2
 CATEGORIES =   www net
 
Index: patches/patch-lynx_man
===================================================================
RCS file: /cvs/ports/www/lynx/patches/patch-lynx_man,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-lynx_man
--- patches/patch-lynx_man      12 Mar 2016 14:29:13 -0000      1.1
+++ patches/patch-lynx_man      13 Apr 2016 10:40:36 -0000
@@ -1,12 +1,13 @@
 $OpenBSD: patch-lynx_man,v 1.1 2016/03/12 14:29:13 tb Exp $
 --- lynx.man.orig      Thu Oct  8 02:19:45 2015
-+++ lynx.man   Thu Feb  4 12:37:28 2016
-@@ -593,6 +593,21 @@ flushes the cache on a proxy server
++++ lynx.man   Wed Apr 13 13:03:58 2016
+@@ -593,6 +593,22 @@ flushes the cache on a proxy server
  allows a list of services to be disabled selectively.
  Dashes and underscores in option names can be intermixed.
  The following list is printed if no options are specified.
 +.IP
 +On OpenBSD the following restrictions are always enabled:
++\fBeditor\fR,
 +\fBexec\fR,
 +\fBmail\fR,
 +and
Index: patches/patch-src_LYMain_c
===================================================================
RCS file: /cvs/ports/www/lynx/patches/patch-src_LYMain_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-src_LYMain_c
--- patches/patch-src_LYMain_c  12 Mar 2016 14:29:13 -0000      1.1
+++ patches/patch-src_LYMain_c  13 Apr 2016 10:40:36 -0000
@@ -1,12 +1,13 @@
 $OpenBSD: patch-src_LYMain_c,v 1.1 2016/03/12 14:29:13 tb Exp $
 --- src/LYMain.c.orig  Fri Dec 18 01:34:45 2015
-+++ src/LYMain.c       Wed Feb  3 19:50:41 2016
-@@ -2142,6 +2142,21 @@ int main(int argc,
++++ src/LYMain.c       Mon Apr 11 01:55:21 2016
+@@ -2142,6 +2142,22 @@ int main(int argc,
      }
  
      /*
 +     * Disabling features requiring 'proc' + 'exec' and calling pledge
 +     */
++    no_editor = TRUE;
 +    no_exec = TRUE;
 +    no_mail = TRUE;
 +    no_shell = TRUE;
Index: patches/patch-src_LYUtils_c
===================================================================
RCS file: /cvs/ports/www/lynx/patches/patch-src_LYUtils_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-src_LYUtils_c
--- patches/patch-src_LYUtils_c 12 Mar 2016 14:29:13 -0000      1.1
+++ patches/patch-src_LYUtils_c 13 Apr 2016 10:40:36 -0000
@@ -6,7 +6,7 @@ order to avoid a "getpw" promise.  This 
 no breakage is to be expected from this.
 
 --- src/LYUtils.c.orig Sun Mar 22 16:38:23 2015
-+++ src/LYUtils.c      Sun Jan 31 07:49:03 2016
++++ src/LYUtils.c      Mon Apr 11 01:39:12 2016
 @@ -5253,10 +5253,11 @@ const char *Home_Dir(void)
            /*
             * One could use getlogin() and getpwnam() here instead.
@@ -22,3 +22,11 @@ no breakage is to be expected from this.
            } else
  #endif
            {
+@@ -7185,6 +7186,7 @@ static char *escape_backslashes(char *source)
+  */
+ int LYSystem(char *command)
+ {
++    return 0;
+     int code;
+     int do_free = 0;
+