[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load
|
From: |
Florian Zumbiehl |
|
Subject: |
[Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc |
|
Date: |
Fri, 15 Mar 2013 06:58:42 +0100 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Remove (load)ing of ./.csirc on csi startup as it can lead to execution of
untrusted code.
---
I think a replacement mechanism is not necessary, anyone who wants the old
behaviour can just add appropriate code to their ~/.csirc.
The TOCTOU sporadic failure bug I have left in as I don't have a clue how
to fix that.
csi.scm | 13 ++++++-------
1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/csi.scm b/csi.scm
index 6881d7b..ab650ee 100644
--- a/csi.scm
+++ b/csi.scm
@@ -1016,13 +1016,12 @@ EOF
(cons (cadr p) (loop (cddr p)))) ) ]
[else '()] ) ) )
(define (loadinit)
- (let ([fn (##sys#string-append "./" init-file)])
- (if (file-exists? fn)
- (load fn)
- (let* ([prefix (chop-separator (or (get-environment-variable
"HOME") "."))]
- [fn (string-append prefix "/" init-file)] )
- (when (file-exists? fn)
- (load fn) ) ) ) ) )
+ (and-let* ((home (get-environment-variable "HOME")))
+ (when (= (string-length home) 0)
+ (##sys#error "invalid (empty) $HOME"))
+ (let ((fn (string-append (chop-separator home) "/"
init-file)))
+ (when (file-exists? fn)
+ (load fn) ) ) ) )
(define (evalstring str #!optional (rec (lambda _ (void))))
(let ((in (open-input-string str)))
(do ([x (read in) (read in)])
--
1.7.2.5