CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2023/07/15 04:42:54
Modified files:
usr.bin/patch : patch.c
Log message:
Prevent patch(1) from scribbling all over the place.
Arguably the only sensible use of patch(1) is changing files in the
current working directory and subdirectories.
However, patch(1) has this anti-feature, or dare I say bug, where it
will happily follow "../" upwards and outside of the current working
directory to find files to change. All it takes is a line like
+++ ../../../../home/florian/.ssh/authorized_keys
in the patchfile.
patch(1) operates on untrusted input and it already pledge(2)'ed to
not execute arbitrary programs, but of course it needs to write
files.
A simple unveil(".", "rwc") restricts patch(1) to its current working
directory.
We also need to allow /tmp and potentially the output file and reject
file if given on the command line. But those paths are safe.
input op, deraadt
OK millert, sthen
