tags 560755 + patch thanks Hi!
I have a potential fix for this bug. My approach is based on the premise that the make-temp-file function provided from Emacs 22 onwards is safe. So, I backport the method to the rst.el file, and bind it to the symbol rst--make-temp-file as follows: - If the Emacs version is less than 22, use this custom version. This works on Emacs 21, I tested it. - If the Emacs version is 22 or more, bind rst--make-temp-file to the make-temp-fil provided in the Emacs Lisp libraries. I don't see a solution for removing the temporary files, though. I am no expert on security or Emacs Lisp, but I hope this patch provides a start. HTH, and thanks! Kumar -- Bigotry tries to keep truth safe in its hand With a grip that kills it. - Rabindranath Tagore (Fireflies, 1928)
Description: Patch to fix temporary file vulnerability My approach is based on the premise that the make-temp-file function provided from Emacs 22 onwards is safe. So, I backport the method to the rst.el file, and bind it to the symbol rst--make-temp-file as follows: - If the Emacs version is less than 22, use this custom version. This works on Emacs 21, I tested it. - If the Emacs version is 22 or more, bind rst--make-temp-file to the make-temp-fil provided in the Emacs Lisp libraries. I don't see a solution for removing the temporary files, though. I am no expert on security or Emacs Lisp, but I hope this patch provides a start. Author: Kumar Appaiah <aku...@debian.org> --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: Kumar Appaiah Bug: Bug-Debian: http://bugs.debian.org/560755 Forwarded: Reviewed-By: Last-Update: 2009-12-12 --- python-docutils-0.6.orig/tools/editors/emacs/rst.el +++ python-docutils-0.6/tools/editors/emacs/rst.el @@ -3304,10 +3304,54 @@ of the entire buffer, if the region is n (defvar rst-pdf-program "xpdf" "Program used to preview PDF files.") +(if (> emacs-major-version 22) + (defalias 'rst--make-temp-file 'make-temp-file) + (defvar temporary-file-directory) + (defun rst--make-temp-file (prefix &optional dir-flag suffix) + "Create a temporary file. +The returned file name (created by appending some random characters at the end +of PREFIX, and expanding against `temporary-file-directory' if necessary), +is guaranteed to point to a newly created empty file. +You can then use `write-region' to write new data into the file. + +If DIR-FLAG is non-nil, create a new empty directory instead of a file. + +If SUFFIX is non-nil, add that at the end of the file name." + (let ((umask (default-file-modes)) + file) + (unwind-protect + (progn + ;; Create temp files with strict access rights. It's easy to + ;; loosen them later, whereas it's impossible to close the + ;; time-window of loose permissions otherwise. + (set-default-file-modes ?\700) + (while (condition-case () + (progn + (setq file + (make-temp-name + (if (zerop (length prefix)) + (file-name-as-directory + temporary-file-directory) + (expand-file-name prefix + temporary-file-directory)))) + (if suffix + (setq file (concat file suffix))) + (if dir-flag + (make-directory file) + (write-region "" nil file nil 'silent nil 'excl)) + nil) + (file-already-exists t)) + ;; the file was somehow created by someone else between + ;; `make-temp-name' and `write-region', let's try again. + nil) + file) + ;; Reset the umask. + (set-default-file-modes umask))))) + (defun rst-compile-pdf-preview () "Convert the document to a PDF file and launch a preview program." (interactive) - (let* ((tmp-filename "/tmp/out.pdf") + (let* ((tmp-filename (rst--make-temp-file "rst" nil ".pdf")) (command (format "%s %s %s && %s %s" (cadr (assq 'pdf rst-compile-toolsets)) buffer-file-name tmp-filename @@ -3323,7 +3367,7 @@ of the entire buffer, if the region is n (defun rst-compile-slides-preview () "Convert the document to an S5 slide presentation and launch a preview program." (interactive) - (let* ((tmp-filename "/tmp/slides.html") + (let* ((tmp-filename (rst--make-temp-file "rst" nil ".html")) (command (format "%s %s %s && %s %s" (cadr (assq 's5 rst-compile-toolsets)) buffer-file-name tmp-filename
signature.asc
Description: Digital signature
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/python-modules-team
