sorry. I don't really like this patch.
I'd prefer a proper fix for 1. keeping the current behaviour is a good reminder
that some more work is needed. if we paper over the problem I don't think there
will be the same incentive to fix things properly.
for 2 I don't like the idea of adding a flavour to Lynx. I'd prefer to keep 1
package. some months ago I was thinking of a runtime flag like "lynx
-dangerous" to allow proc exec. but then I haven't seen a lot of people
complaining about the lack of proc exec. is it really needed? I certainly don't
need that functionality and I really think it's high risk in a browser.
> On Jun 2, 2016, at 9:18 AM, Dmitrij D. Czarkoff <czark...@gmail.com> wrote:
>
> Hi!
>
> The following diff changes two related aspects of www/lynx port:
>
> 1. Currently lynx dies to SIGABRT from pledge when user follows URL
> for image files. I guess the same happens when user configures
> mailcap or handlers for mime types. Properly removing this
> functionality from lynx would require a lot of time both right now
> and during upgrades. The patch below changes LYSystem() to return
> early pretending that system(3) failed.
>
> This is not a proper solution to the problem, but at least it stops
> lynx from dying.
>
> 2. This patch also adds an "exec" flavor that calls pledge with "exec"
> and "proc" promises, so that external editor and image viewer can
> actually be used. This is also a temporary solution before the
> real issue is addressed upstream. I am not sure there is still a
> good reason for pledge in this flavor though.
>
> Comments? OKs?
>
> --
> Dmitrij D. Czarkoff
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/lynx/Makefile,v
> retrieving revision 1.27
> diff -u -p -r1.27 Makefile
> --- Makefile 17 May 2016 00:08:44 -0000 1.27
> +++ Makefile 2 Jun 2016 10:19:43 -0000
> @@ -7,6 +7,7 @@ DISTNAME = lynx${V}dev.${PL}
> PKGNAME = lynx-${V}pl${PL}
> EXTRACT_SUFX = .tar.bz2
> CATEGORIES = www net
> +REVISION = 0
>
> HOMEPAGE = http://lynx.invisible-island.net/
>
> @@ -22,6 +23,16 @@ MASTER_SITES = http://invisible-mirror.n
> ftp://invisible-island.net/lynx/tarballs/
>
> LIB_DEPENDS = archivers/bzip2
> +
> +FLAVORS = exec
> +FLAVOR ?=
> +
> +PATCH_LIST = patch-*
> +.if ${FLAVOR:Mexec}
> +PATCH_LIST += exec-*
> +.else
> +PATCH_LIST += noexec-*
> +.endif
>
> CONFIGURE_STYLE = gnu
> CONFIGURE_ARGS = --datarootdir="${PREFIX}/share/doc/lynx" \
> Index: patches/exec-src_LYMain_c
> ===================================================================
> RCS file: patches/exec-src_LYMain_c
> diff -N patches/exec-src_LYMain_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/exec-src_LYMain_c 2 Jun 2016 10:47:49 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
> +--- src/LYMain.c.orig Fri Dec 18 01:34:45 2015
> ++++ src/LYMain.c Mon Apr 11 01:55:21 2016
> +@@ -2142,6 +2142,17 @@ int main(int argc,
> + }
> +
> + /*
> ++ * Disabling rlogin and telnet and calling pledge
> ++ */
> ++ rlogin_ok = FALSE;
> ++ telnet_ok = FALSE;
> ++
> ++ if (pledge("stdio rpath wpath cpath fattr dns inet tty proc exec",
> NULL) == -1) {
> ++ fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
> ++ exit_immediately(EXIT_FAILURE);
> ++ }
> ++
> ++ /*
> + * Here's where we do all the work.
> + */
> + if (dump_output_immediately) {
> Index: patches/noexec-src_LYMain_c
> ===================================================================
> RCS file: patches/noexec-src_LYMain_c
> diff -N patches/noexec-src_LYMain_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/noexec-src_LYMain_c 15 Apr 2016 03:21:51 -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
> +--- src/LYMain.c.orig Fri Dec 18 01:34:45 2015
> ++++ src/LYMain.c Mon Apr 11 01:55:21 2016
> +@@ -2142,6 +2142,22 @@ int main(int argc,
> + }
> +
> + /*
> ++ * Disabling features requiring 'proc' + 'exec' and calling pledge
> ++ */
> ++ no_editor = TRUE;
> ++ no_exec = TRUE;
> ++ no_mail = TRUE;
> ++ no_shell = TRUE;
> ++
> ++ rlogin_ok = FALSE;
> ++ telnet_ok = FALSE;
> ++
> ++ if (pledge("stdio rpath wpath cpath fattr dns inet tty", NULL) == -1) {
> ++ fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
> ++ exit_immediately(EXIT_FAILURE);
> ++ }
> ++
> ++ /*
> + * Here's where we do all the work.
> + */
> + if (dump_output_immediately) {
> Index: patches/noexec-src_LYUtils_c
> ===================================================================
> RCS file: patches/noexec-src_LYUtils_c
> diff -N patches/noexec-src_LYUtils_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/noexec-src_LYUtils_c 2 Jun 2016 10:40:31 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD: patch-src_LYUtils_c,v 1.1 2016/03/12 14:29:13 tb Exp $
> +
> +The only purpose of LYSystem() function is to execute "command". Our
> pledge(2)
> +will not allow system(3) anyway, so just return early saying that system(3)
> +failed.
> +
> +--- src/LYUtils.c.orig Sun Mar 22 16:38:23 2015
> ++++ src/LYUtils.c Thu Jun 2 12:38:29 2016
> +@@ -7185,6 +7185,9 @@ static char *escape_backslashes(char *source)
> + */
> + int LYSystem(char *command)
> + {
> ++ errno = EPERM;
> ++ return -1;
> ++
> + int code;
> + int do_free = 0;
> +
> Index: patches/noexec-userdefs_h
> ===================================================================
> RCS file: patches/noexec-userdefs_h
> diff -N patches/noexec-userdefs_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/noexec-userdefs_h 15 Apr 2016 03:21:52 -0000
> @@ -0,0 +1,25 @@
> +$OpenBSD: patch-userdefs_h,v 1.1 2016/04/15 03:21:52 tb Exp $
> +--- userdefs.h.orig Tue Dec 22 02:45:35 2015
> ++++ userdefs.h Thu Apr 14 00:11:57 2016
> +@@ -129,8 +129,8 @@
> + * Mappings in these global and personal files override any VIEWER
> + * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
> + */
> +-#define GLOBAL_MAILCAP "Lynx_Dir:mailcap"
> +-#define PERSONAL_MAILCAP ".mailcap"
> ++#define GLOBAL_MAILCAP "/dev/null"
> ++#define PERSONAL_MAILCAP "/dev/null"
> +
> + /**************************
> + * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c
> +@@ -327,8 +327,8 @@
> + * Mappings in these global and personal files override any VIEWER
> + * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
> + */
> +-#define GLOBAL_MAILCAP MIME_LIBDIR "mailcap"
> +-#define PERSONAL_MAILCAP "~/.mailcap"
> ++#define GLOBAL_MAILCAP "/dev/null"
> ++#define PERSONAL_MAILCAP "/dev/null"
> +
> + /**************************
> + * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c for
> Index: patches/patch-src_LYMain_c
> ===================================================================
> RCS file: patches/patch-src_LYMain_c
> diff -N patches/patch-src_LYMain_c
> --- patches/patch-src_LYMain_c 15 Apr 2016 03:21:51 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,26 +0,0 @@
> -$OpenBSD: patch-src_LYMain_c,v 1.2 2016/04/15 03:21:51 tb Exp $
> ---- src/LYMain.c.orig Fri Dec 18 01:34:45 2015
> -+++ src/LYMain.c Mon Apr 11 01:55:21 2016
> -@@ -2142,6 +2142,22 @@ int main(int argc,
> - }
> -
> - /*
> -+ * Disabling features requiring 'proc' + 'exec' and calling pledge
> -+ */
> -+ no_editor = TRUE;
> -+ no_exec = TRUE;
> -+ no_mail = TRUE;
> -+ no_shell = TRUE;
> -+
> -+ rlogin_ok = FALSE;
> -+ telnet_ok = FALSE;
> -+
> -+ if (pledge("stdio rpath wpath cpath fattr dns inet tty", NULL) == -1) {
> -+ fprintf(stderr, "%s: pledge: %s\n", getprogname(), strerror(errno));
> -+ exit_immediately(EXIT_FAILURE);
> -+ }
> -+
> -+ /*
> - * Here's where we do all the work.
> - */
> - if (dump_output_immediately) {
> Index: patches/patch-userdefs_h
> ===================================================================
> RCS file: patches/patch-userdefs_h
> diff -N patches/patch-userdefs_h
> --- patches/patch-userdefs_h 15 Apr 2016 03:21:52 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,25 +0,0 @@
> -$OpenBSD: patch-userdefs_h,v 1.1 2016/04/15 03:21:52 tb Exp $
> ---- userdefs.h.orig Tue Dec 22 02:45:35 2015
> -+++ userdefs.h Thu Apr 14 00:11:57 2016
> -@@ -129,8 +129,8 @@
> - * Mappings in these global and personal files override any VIEWER
> - * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
> - */
> --#define GLOBAL_MAILCAP "Lynx_Dir:mailcap"
> --#define PERSONAL_MAILCAP ".mailcap"
> -+#define GLOBAL_MAILCAP "/dev/null"
> -+#define PERSONAL_MAILCAP "/dev/null"
> -
> - /**************************
> - * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c
> -@@ -327,8 +327,8 @@
> - * Mappings in these global and personal files override any VIEWER
> - * definitions in lynx.cfg and built-in defaults from src/HTInit.c.
> - */
> --#define GLOBAL_MAILCAP MIME_LIBDIR "mailcap"
> --#define PERSONAL_MAILCAP "~/.mailcap"
> -+#define GLOBAL_MAILCAP "/dev/null"
> -+#define PERSONAL_MAILCAP "/dev/null"
> -
> - /**************************
> - * XLOADIMAGE_COMMAND will be used as a default in src/HTInit.c for
> Index: pkg/DESCR
> ===================================================================
> RCS file: /cvs/ports/www/lynx/pkg/DESCR,v
> retrieving revision 1.4
> diff -u -p -r1.4 DESCR
> --- pkg/DESCR 17 Jul 2014 12:15:21 -0000 1.4
> +++ pkg/DESCR 2 Jun 2016 13:02:55 -0000
> @@ -12,3 +12,7 @@ information systems intended primarily f
> Lynx has been used to build several Campus Wide Information Systems
> (CWIS). In addition, Lynx can be used to build systems isolated within a
> single LAN.
> +
> +The "exec" flavor of lynx is capable of calling external programs using
> +dangerous system(3) function. Basically it concedes security to
> +convenience of calling external editor, image view, file handlers, etc.
>
