Author: mvidner Date: Mon Dec 17 15:56:24 2007 New Revision: 43135 URL: http://svn.opensuse.org/viewcvs/yast?rev=43135&view=rev Log: Do not look for YCP scripts under the current working directory, unless explicitly requested (#330965). Modified: branches/SuSE-SLE-10-SP1-Branch/core/VERSION branches/SuSE-SLE-10-SP1-Branch/core/libycp/src/pathsearch.cc branches/SuSE-SLE-10-SP1-Branch/core/package/yast2-core.changes branches/SuSE-SLE-10-SP1-Branch/core/wfm/src/Y2CCWFM.cc Modified: branches/SuSE-SLE-10-SP1-Branch/core/VERSION URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-SLE-10-SP1-Branch/core/VE... ============================================================================== --- branches/SuSE-SLE-10-SP1-Branch/core/VERSION (original) +++ branches/SuSE-SLE-10-SP1-Branch/core/VERSION Mon Dec 17 15:56:24 2007 @@ -1 +1 @@ -2.13.40 +2.13.41 Modified: branches/SuSE-SLE-10-SP1-Branch/core/libycp/src/pathsearch.cc URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-SLE-10-SP1-Branch/core/li... ============================================================================== --- branches/SuSE-SLE-10-SP1-Branch/core/libycp/src/pathsearch.cc (original) +++ branches/SuSE-SLE-10-SP1-Branch/core/libycp/src/pathsearch.cc Mon Dec 17 15:56:24 2007 @@ -71,16 +71,25 @@ for (int i = 0; i < NUM_LEVELS; i++) { - if (home - && strcmp (paths[i], "HOME") == 0) + // #330965, avoid publicly writable dirs in search path + // (we return a nonexistent dir because the API does not + // allow us to say Skip, and a cleanup patch to fix that + // would be too large) + static const char * not_there = YAST2DIR "/not-there"; + if (strcmp (paths[i], "HOME") == 0) { + if (home) my_paths[i] = string (home) + "/.yast2"; + else + my_paths[i] = string (not_there); } - else if (y2dir - && (strcmp (paths[i], "Y2DIR") == 0) - && (strcmp (YAST2DIR, y2dir) != 0)) // prevent path duplication + else if (strcmp (paths[i], "Y2DIR") == 0) { + if (y2dir + && (strcmp (YAST2DIR, y2dir) != 0)) // prevent path duplication my_paths[i] = string (y2dir); + else + my_paths[i] = string (not_there); } else { Modified: branches/SuSE-SLE-10-SP1-Branch/core/package/yast2-core.changes URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-SLE-10-SP1-Branch/core/pa... ============================================================================== --- branches/SuSE-SLE-10-SP1-Branch/core/package/yast2-core.changes (original) +++ branches/SuSE-SLE-10-SP1-Branch/core/package/yast2-core.changes Mon Dec 17 15:56:24 2007 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Mon Oct 29 13:28:57 CET 2007 - mvidner@suse.cz + +- Do not look for YCP scripts under the current working + directory, unless explicitly requested (#330965). +- 2.13.41 + +------------------------------------------------------------------- Wed Aug 15 11:31:20 CEST 2007 - mvidner@suse.cz - Do not log return value from clients (#248300). Modified: branches/SuSE-SLE-10-SP1-Branch/core/wfm/src/Y2CCWFM.cc URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-SLE-10-SP1-Branch/core/wf... ============================================================================== --- branches/SuSE-SLE-10-SP1-Branch/core/wfm/src/Y2CCWFM.cc (original) +++ branches/SuSE-SLE-10-SP1-Branch/core/wfm/src/Y2CCWFM.cc Mon Dec 17 15:56:24 2007 @@ -90,7 +90,11 @@ { // not found "clients/<name>.ycp" // try plain name + // only if the name contains a slash, #330965#c10 + if (!strchr (name, '/')) + return 0; + // we have to keep completeFilename because it also does :: translation :( fullname = Y2PathSearch::completeFilename (string (name)); if (fullname.empty()) return 0; @@ -99,22 +103,14 @@ if (!file) return 0; // Not found under the direct path either. filename = name; - // 2nd try: examine the file: Is it not executable or does - // the name end in .ycp or does the file begin with #!/bin/y2wfm + // 2nd try: examine the file: does the name end in .ycp bool try_it = false; if (strlen(name) > 4 && !strcmp(name + strlen(name) - 4, ".ycp")) try_it = true; - else { - struct stat buf; - if (0 == stat(name, &buf)) - { - // Try it, if it is not executable - if (S_ISREG(buf.st_mode) && buf.st_mode & S_IXOTH != S_IXOTH) - try_it = true; - } - } + // The stat code that used to be here had a bug + // in operator precedence rendering it useless. let's make it explicit. if (!try_it) return 0; modulename = string(name); -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org