|
 |
7c5933 |
From: Chris Liddell <chris.liddell@artifex.com>
|
|
|
7c5933 |
Date: Sat, 1 Sep 2018 16:50:05 +0000 (+0100)
|
|
|
7c5933 |
Subject: Bug 699658(related): Move recording of temp file names into C
|
|
|
7c5933 |
|
|
|
7c5933 |
Bug 699658(related): Move recording of temp file names into C
|
|
|
7c5933 |
|
|
|
7c5933 |
When we successfully create a temporary file from Postscript, either doing so
|
|
|
7c5933 |
when SAFER is not in force, or when SAFER is in force, and creating it in
|
|
|
7c5933 |
a write permitted directory, we record the file name so we can later delete
|
|
|
7c5933 |
the file, even is SAFER has been engaged, or if the PermitWriting list has
|
|
|
7c5933 |
changed to no longer the directory in question.
|
|
|
7c5933 |
|
|
|
7c5933 |
Previously the recording of the name was done in Postscript, even though the
|
|
|
7c5933 |
checking was done in C.
|
|
|
7c5933 |
|
|
|
7c5933 |
This moves the recording of the names to C, meaning we can remove the Postscript
|
|
|
7c5933 |
redefinitions of .tempfile and deletfile, and make the dictionary in question
|
|
|
7c5933 |
noaccess.
|
|
|
7c5933 |
|
|
|
7c5933 |
Also, tidy up the adding of the temporary file directory to the list of
|
|
|
7c5933 |
permitted directories, and include the list in all of the categories
|
|
|
7c5933 |
(PermitFileWriting, PermitFileReading and PermitFileControl) - it was only
|
|
|
7c5933 |
previously adding to writing.
|
|
|
7c5933 |
|
|
|
7c5933 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0704d18b10314d701a522ad6c16718e0b8e199b7
|
|
|
7c5933 |
---
|
|
|
7c5933 |
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/int.mak.bz1661210 ghostscript-9.07/psi/int.mak
|
|
|
7c5933 |
--- ghostscript-9.07/psi/int.mak.bz1661210 2018-12-20 17:38:21.683312408 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/int.mak 2018-12-20 17:38:40.583083097 +0100
|
|
|
7c5933 |
@@ -330,7 +330,7 @@ $(PSOBJ)zfile.$(OBJ) : $(PSSRC)zfile.c $
|
|
|
7c5933 |
$(memory__h) $(string__h) $(unistd__h) $(stat__h) $(gp_h) $(gpmisc_h)\
|
|
|
7c5933 |
$(gscdefs_h) $(gsfname_h) $(gsstruct_h) $(gsutil_h) $(gxalloc_h) $(gxiodev_h)\
|
|
|
7c5933 |
$(dstack_h) $(estack_h) $(files_h)\
|
|
|
7c5933 |
- $(ialloc_h) $(idict_h) $(ilevel_h) $(iname_h) $(iutil_h)\
|
|
|
7c5933 |
+ $(ialloc_h) $(idict_h) $(iddict_h) $(ilevel_h) $(iname_h) $(iutil_h)\
|
|
|
7c5933 |
$(isave_h) $(main_h) $(sfilter_h) $(stream_h) $(strimpl_h) $(store_h)\
|
|
|
7c5933 |
$(zfile_h)
|
|
|
7c5933 |
$(PSCC) $(PSO_)zfile.$(OBJ) $(C_) $(PSSRC)zfile.c
|
|
|
7c5933 |
diff -up ghostscript-9.07/psi/zfile.c.bz1661210 ghostscript-9.07/psi/zfile.c
|
|
|
7c5933 |
--- ghostscript-9.07/psi/zfile.c.bz1661210 2018-12-20 17:39:09.975726450 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/psi/zfile.c 2018-12-20 17:44:50.698592208 +0100
|
|
|
7c5933 |
@@ -35,6 +35,7 @@
|
|
|
7c5933 |
#include "iname.h"
|
|
|
7c5933 |
#include "isave.h" /* for restore */
|
|
|
7c5933 |
#include "idict.h"
|
|
|
7c5933 |
+#include "iddict.h"
|
|
|
7c5933 |
#include "iutil.h"
|
|
|
7c5933 |
#include "stream.h"
|
|
|
7c5933 |
#include "strimpl.h"
|
|
|
7c5933 |
@@ -290,6 +291,28 @@ file_is_tempfile(i_ctx_t *i_ctx_p, const
|
|
|
7c5933 |
return true;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
|
|
|
7c5933 |
+static int
|
|
|
7c5933 |
+record_file_is_tempfile(i_ctx_t *i_ctx_p, const uchar *fname, int len, bool add)
|
|
|
7c5933 |
+{
|
|
|
7c5933 |
+ ref *SAFETY;
|
|
|
7c5933 |
+ ref *tempfiles;
|
|
|
7c5933 |
+ ref kname, bref;
|
|
|
7c5933 |
+ int code = 0;
|
|
|
7c5933 |
+
|
|
|
7c5933 |
+ if (dict_find_string(systemdict, "SAFETY", &SAFETY) <= 0 ||
|
|
|
7c5933 |
+ dict_find_string(SAFETY, "tempfiles", &tempfiles) <= 0) {
|
|
|
7c5933 |
+ return 0;
|
|
|
7c5933 |
+ }
|
|
|
7c5933 |
+ if ((code = name_ref(imemory, fname, len, &kname, 1)) < 0) {
|
|
|
7c5933 |
+ return code;
|
|
|
7c5933 |
+ }
|
|
|
7c5933 |
+ make_bool(&bref, true);
|
|
|
7c5933 |
+ if (add)
|
|
|
7c5933 |
+ return idict_put(tempfiles, &kname, &bref;;
|
|
|
7c5933 |
+ else
|
|
|
7c5933 |
+ return idict_undef(tempfiles, &kname);
|
|
|
7c5933 |
+}
|
|
|
7c5933 |
+
|
|
|
7c5933 |
/* ------ Level 2 extensions ------ */
|
|
|
7c5933 |
|
|
|
7c5933 |
/* <string> deletefile - */
|
|
|
7c5933 |
@@ -299,17 +322,22 @@ zdeletefile(i_ctx_t *i_ctx_p)
|
|
|
7c5933 |
os_ptr op = osp;
|
|
|
7c5933 |
gs_parsed_file_name_t pname;
|
|
|
7c5933 |
int code = parse_real_file_name(op, &pname, imemory, "deletefile");
|
|
|
7c5933 |
+ bool is_temp = false;
|
|
|
7c5933 |
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
if (pname.iodev == iodev_default(imemory)) {
|
|
|
7c5933 |
if ((code = check_file_permissions(i_ctx_p, pname.fname, pname.len,
|
|
|
7c5933 |
pname.iodev, "PermitFileControl")) < 0 &&
|
|
|
7c5933 |
- !file_is_tempfile(i_ctx_p, op->value.bytes, r_size(op))) {
|
|
|
7c5933 |
+ !(is_temp = file_is_tempfile(i_ctx_p, op->value.bytes, r_size(op)))) {
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
}
|
|
|
7c5933 |
code = (*pname.iodev->procs.delete_file)(pname.iodev, pname.fname);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
+ if (code >= 0 && is_temp)
|
|
|
7c5933 |
+ code = record_file_is_tempfile(i_ctx_p, (unsigned char *)pname.fname, strlen(pname.fname), false);
|
|
|
7c5933 |
+
|
|
|
7c5933 |
gs_free_file_name(&pname, "deletefile");
|
|
|
7c5933 |
if (code < 0)
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
@@ -757,6 +785,7 @@ ztempfile(i_ctx_t *i_ctx_p)
|
|
|
7c5933 |
}
|
|
|
7c5933 |
make_string(op - 1, a_readonly | icurrent_space, fnlen, sbody);
|
|
|
7c5933 |
make_stream_file(op, s, fmode);
|
|
|
7c5933 |
+ code = record_file_is_tempfile(i_ctx_p, (unsigned char *)fname, fnlen, true);
|
|
|
7c5933 |
return code;
|
|
|
7c5933 |
}
|
|
|
7c5933 |
|
|
|
7c5933 |
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.bz1661210 ghostscript-9.07/Resource/Init/gs_init.ps
|
|
|
7c5933 |
--- ghostscript-9.07/Resource/Init/gs_init.ps.bz1661210 2018-12-20 17:33:51.469591104 +0100
|
|
|
7c5933 |
+++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-12-20 17:35:36.694314341 +0100
|
|
|
7c5933 |
@@ -2030,15 +2030,30 @@ systemdict /EPSBoundingBoxInit known { E
|
|
|
7c5933 |
.currentglobal //true .setglobal
|
|
|
7c5933 |
/SAFETY 2 dict
|
|
|
7c5933 |
dup /safe //false put
|
|
|
7c5933 |
- dup /tempfiles 10 dict readonly put
|
|
|
7c5933 |
+ dup /tempfiles 10 dict noaccess put
|
|
|
7c5933 |
readonly def
|
|
|
7c5933 |
.setglobal
|
|
|
7c5933 |
|
|
|
7c5933 |
+/tempfilepaths
|
|
|
7c5933 |
+[
|
|
|
7c5933 |
+ (TMPDIR) getenv not
|
|
|
7c5933 |
+ {
|
|
|
7c5933 |
+ (TEMP) getenv not
|
|
|
7c5933 |
+ {
|
|
|
7c5933 |
+ (TMP) getenv not
|
|
|
7c5933 |
+ {
|
|
|
7c5933 |
+ (/temp) (/tmp)
|
|
|
7c5933 |
+ } if
|
|
|
7c5933 |
+ } if
|
|
|
7c5933 |
+ } if
|
|
|
7c5933 |
+] def
|
|
|
7c5933 |
+
|
|
|
7c5933 |
/.locksafe {
|
|
|
7c5933 |
SAFETY /safe get not {
|
|
|
7c5933 |
<<
|
|
|
7c5933 |
/PermitFileReading [
|
|
|
7c5933 |
currentuserparams /PermitFileReading get aload pop
|
|
|
7c5933 |
+ //tempfilepaths aload pop
|
|
|
7c5933 |
/FONTPATH .systemvar (*) .generate_dir_list_templates
|
|
|
7c5933 |
% Library files :
|
|
|
7c5933 |
/LIBPATH .systemvar (*) .generate_dir_list_templates
|
|
|
7c5933 |
@@ -2056,16 +2071,11 @@ readonly def
|
|
|
7c5933 |
]
|
|
|
7c5933 |
/PermitFileWriting [
|
|
|
7c5933 |
currentuserparams /PermitFileWriting get aload pop
|
|
|
7c5933 |
- (TMPDIR) getenv not
|
|
|
7c5933 |
- {
|
|
|
7c5933 |
- (TEMP) getenv not
|
|
|
7c5933 |
- {
|
|
|
7c5933 |
- (TMP) getenv not
|
|
|
7c5933 |
- {
|
|
|
7c5933 |
- (/temp) (/tmp)
|
|
|
7c5933 |
- } if
|
|
|
7c5933 |
- } if
|
|
|
7c5933 |
- } if
|
|
|
7c5933 |
+ //tempfilepaths aload pop
|
|
|
7c5933 |
+ ]
|
|
|
7c5933 |
+ /PermitFileControl [
|
|
|
7c5933 |
+ currentuserparams /PermitFileControl get aload pop
|
|
|
7c5933 |
+ //tempfilepaths aload pop
|
|
|
7c5933 |
]
|
|
|
7c5933 |
/LockFilePermissions //true
|
|
|
7c5933 |
>> setuserparams
|
|
|
7c5933 |
@@ -2082,6 +2092,8 @@ readonly def
|
|
|
7c5933 |
//SAFETY /safe //true .forceput % overrides readonly
|
|
|
7c5933 |
} .bind executeonly odef
|
|
|
7c5933 |
|
|
|
7c5933 |
+currentdict /tempfilepaths undef
|
|
|
7c5933 |
+
|
|
|
7c5933 |
/.setsafe
|
|
|
7c5933 |
{
|
|
|
7c5933 |
SAFETY /safe get not {
|
|
|
7c5933 |
@@ -2095,30 +2107,6 @@ readonly def
|
|
|
7c5933 |
.locksafe
|
|
|
7c5933 |
} .bind executeonly odef
|
|
|
7c5933 |
|
|
|
7c5933 |
-/deletefile {
|
|
|
7c5933 |
- dup { deletefile } stopped {
|
|
|
7c5933 |
- pop //deletefile $error /errorname get signalerror
|
|
|
7c5933 |
- } {
|
|
|
7c5933 |
- % deletefile succeeded. Remove from tempfile list if present
|
|
|
7c5933 |
- //SAFETY /tempfiles get exch cvn 2 copy known {
|
|
|
7c5933 |
- .forceundef
|
|
|
7c5933 |
- } {
|
|
|
7c5933 |
- pop pop
|
|
|
7c5933 |
- }
|
|
|
7c5933 |
- ifelse
|
|
|
7c5933 |
- }
|
|
|
7c5933 |
- ifelse
|
|
|
7c5933 |
-} .bind executeonly odef
|
|
|
7c5933 |
-
|
|
|
7c5933 |
-% If a file is opened with .tempfile with SAFER not (yet) set,
|
|
|
7c5933 |
-% the file can be deleted later, even if SAFER is set.
|
|
|
7c5933 |
-/.tempfile {
|
|
|
7c5933 |
- .tempfile % filename file
|
|
|
7c5933 |
- //SAFETY /safe get not { % only add the filename if we're not yet safe
|
|
|
7c5933 |
- //SAFETY /tempfiles get 2 .argindex //true .forceput
|
|
|
7c5933 |
- } if
|
|
|
7c5933 |
-} .bind executeonly odef
|
|
|
7c5933 |
-
|
|
|
7c5933 |
% If we are running in SAFER mode, lock things down
|
|
|
7c5933 |
SAFER { .setsafe } if
|
|
|
7c5933 |
|