texlive[58324] Build/source/texk/dvipdfm-x: dvipdfmx: Do not allow
commits+kakuto at tug.org
commits+kakuto at tug.org
Sat Mar 13 22:26:22 CET 2021
Revision: 58324
http://tug.org/svn/texlive?view=revision&revision=58324
Author: kakuto
Date: 2021-03-13 22:26:22 +0100 (Sat, 13 Mar 2021)
Log Message:
-----------
dvipdfmx: Do not allow directory separators in an optarg in an option -i optarg for security reason.
Modified Paths:
--------------
trunk/Build/source/texk/dvipdfm-x/ChangeLog
trunk/Build/source/texk/dvipdfm-x/dvipdfmx.c
Modified: trunk/Build/source/texk/dvipdfm-x/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/ChangeLog 2021-03-13 07:35:39 UTC (rev 58323)
+++ trunk/Build/source/texk/dvipdfm-x/ChangeLog 2021-03-13 21:26:22 UTC (rev 58324)
@@ -1,3 +1,8 @@
+2021-03-14 Akira Kakuto <kakuto at w32tex.org>
+
+ * dvipdfmx.c: Do not allow directory separators in an optarg
+ in an option -i optarg for security reason.
+
2021-03-05 Akira Kakuto <kakuto at w32tex.org>
* pdfdev.c: Correct the incomplete fix on 2021-03-04.
Modified: trunk/Build/source/texk/dvipdfm-x/dvipdfmx.c
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/dvipdfmx.c 2021-03-13 07:35:39 UTC (rev 58323)
+++ trunk/Build/source/texk/dvipdfm-x/dvipdfmx.c 2021-03-13 21:26:22 UTC (rev 58324)
@@ -614,8 +614,19 @@
case 'i':
{
+/*
+ -i ./foo.cfg, -i /usr/abc/foo.cfg, etc. are not allowed for
+ security reason.
+*/
+ char *dir1, *dir2;
int optind_save= optind;
- read_config_file(optarg);
+ dir1 = strrchr(optarg, '/');
+ dir2 = strrchr(optarg, '\\');
+ if (dir1 || dir2) {
+ WARN("%s is not allowed. Default configuration file is used.", optarg);
+ } else {
+ read_config_file(optarg);
+ }
optind = optind_save;
break;
}
More information about the tex-live-commits
mailing list.