From 8ef0b344d6e43cc7d541f47c8562ecef31377c0b Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Sun, 3 Oct 2010 17:10:11 +0000 Subject: [PATCH] security fix for setting env vars --- ChangeLog | 1 + TODO | 3 --- tools/scripts/vips-7.23 | 25 ++++++++++++++++++++----- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index a5ac1046..fd460dc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,7 @@ - added im_draw_smudge(), moved im_smudge() / im_smear() to deprecated - convolution functions support complex images - im_blend() can have any format condition image and it's converted to uchar +- security fix for vips-7.23 wrapper script (thanks Jay) 12/5/10 started 7.22.2 - the conditional image of ifthenelse can be any format, a (!=0) is added if diff --git a/TODO b/TODO index d7a640ab..c7db4459 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,3 @@ -- check gtk-doc output - maybe im_draw_smudge() is too slow :-( also, we had a sanity failure with it, argh @@ -10,8 +9,6 @@ - how do we wrap inplace ops in C++ now? will checking the RW bit help at all? -- use im__inplace_base() in more places - - consider: if( im_check_vector( "im__vector_to_ink", n, im ) ) diff --git a/tools/scripts/vips-7.23 b/tools/scripts/vips-7.23 index ee887528..9a848d93 100755 --- a/tools/scripts/vips-7.23 +++ b/tools/scripts/vips-7.23 @@ -19,6 +19,20 @@ if [[ $# < 1 ]]; then exit 1 fi +# prepend a path component to an environment variable +# be careful to avoid trailing : characters if the var is not defined, they +# can cause security problems +function prepend_var () { + # we have to use eval to do double indirection, I think + eval value=x"\$$1" + if [ $value = x ]; then + export $1=$2 + else + eval value="\$$1" + export $1=$2:$value + fi +} + # try to extract the prefix from a path to an executable # eg. "/home/john/vips/bin/fred" -> "/home/john/vips" function find_prefix () { @@ -92,25 +106,26 @@ fi export VIPSHOME=$prefix # add VIPSHOME to man pages -export MANPATH=$VIPSHOME/man:$MANPATH +prepend_var MANPATH $VIPSHOME/man # add the VIPS lib area to the library path case `uname` in HPUX) - export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH + libvar=SHLIB_PATH ;; Darwin) - export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH + libvar=DYLD_LIBRARY_PATH ;; *) - export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH + libvar=LD_LIBRARY_PATH ;; esac +prepend_var $libvar $VIPSHOME/lib # add VIPS bin area to path -export PATH=$VIPSHOME/bin:$PATH +prepend_var PATH $VIPSHOME/bin # run, passing in args we were passed exec $*