Attachment #12945 for bug #24810

View | Details | Raw Unified | Return to bug 24810
Collapse All | Expand All

Lines 66-71 Link Here

(-)crypto/heimdal/appl/ftp/ftpd/popen.c (-4 / +7 lines)
66		66
67	#include <roken.h>	67	#include <roken.h>
68		68
		69	#define MAXUSRARGS 100
		70	#define MAXGLOBARGS 1000
		71
69	/*	72	/*
70	* Special version of popen which avoids call to shell. This ensures	73	* Special version of popen which avoids call to shell. This ensures
71	* no one may create a pipe to a hidden program as a side effect of a	74	* no one may create a pipe to a hidden program as a side effect of a
Lines 103-109 Link Here
103	char *cp;	106	char *cp;
104	FILE *iop;	107	FILE *iop;
105	int argc, gargc, pdes[2], pid;	108	int argc, gargc, pdes[2], pid;
106	char *pop, argv[100], *gargv[1000];	109	char *pop, argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
107	char *foo;	110	char *foo;
108		111
109	if (strcmp(type, "r") && strcmp(type, "w"))	112	if (strcmp(type, "r") && strcmp(type, "w"))
Lines 126-139 Link Here
126		129
127	/* break up string into pieces */	130	/* break up string into pieces */
128	foo = NULL;	131	foo = NULL;
129	for (argc = 0, cp = program;; cp = NULL) {	132	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
130	if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))	133	if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
131	break;	134	break;
132	}	135	}
133		136
134	gargv[0] = (char*)ftp_rooted(argv[0]);	137	gargv[0] = (char*)ftp_rooted(argv[0]);
135	/* glob each piece */	138	/* glob each piece */
136	for (gargc = argc = 1; argv[argc]; argc++) {	139	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
137	glob_t gl;	140	glob_t gl;
138	int flags = GLOB_BRACE\|GLOB_NOCHECK\|GLOB_QUOTE\|GLOB_TILDE;	141	int flags = GLOB_BRACE\|GLOB_NOCHECK\|GLOB_QUOTE\|GLOB_TILDE;
139		142
Lines 141-147 Link Here
141	if (no_glob \|\| glob(argv[argc], flags, NULL, &gl))	144	if (no_glob \|\| glob(argv[argc], flags, NULL, &gl))
142	gargv[gargc++] = strdup(argv[argc]);	145	gargv[gargc++] = strdup(argv[argc]);
143	else	146	else
144	for (pop = gl.gl_pathv; *pop; pop++)	147	for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
145	gargv[gargc++] = strdup(*pop);	148	gargv[gargc++] = strdup(*pop);
146	globfree(&gl);	149	globfree(&gl);
147	}	150	}

Lines 66-71 Link Here

(-)crypto/kerberosIV/appl/ftp/ftpd/popen.c (-4 / +7 lines)
66		66
67	#include <roken.h>	67	#include <roken.h>
68		68
		69	#define MAXUSRARGS 100
		70	#define MAXGLOBARGS 1000
		71
69	/*	72	/*
70	* Special version of popen which avoids call to shell. This ensures	73	* Special version of popen which avoids call to shell. This ensures
71	* no one may create a pipe to a hidden program as a side effect of a	74	* no one may create a pipe to a hidden program as a side effect of a
Lines 103-109 Link Here
103	char *cp;	106	char *cp;
104	FILE *iop;	107	FILE *iop;
105	int argc, gargc, pdes[2], pid;	108	int argc, gargc, pdes[2], pid;
106	char *pop, argv[100], *gargv[1000];	109	char *pop, argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
107	char *foo;	110	char *foo;
108		111
109	if (strcmp(type, "r") && strcmp(type, "w"))	112	if (strcmp(type, "r") && strcmp(type, "w"))
Lines 126-139 Link Here
126		129
127	/* break up string into pieces */	130	/* break up string into pieces */
128	foo = NULL;	131	foo = NULL;
129	for (argc = 0, cp = program;; cp = NULL) {	132	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
130	if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))	133	if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
131	break;	134	break;
132	}	135	}
133		136
134	gargv[0] = (char*)ftp_rooted(argv[0]);	137	gargv[0] = (char*)ftp_rooted(argv[0]);
135	/* glob each piece */	138	/* glob each piece */
136	for (gargc = argc = 1; argv[argc]; argc++) {	139	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
137	glob_t gl;	140	glob_t gl;
138	int flags = GLOB_BRACE\|GLOB_NOCHECK\|GLOB_QUOTE\|GLOB_TILDE;	141	int flags = GLOB_BRACE\|GLOB_NOCHECK\|GLOB_QUOTE\|GLOB_TILDE;
139		142
Lines 141-147 Link Here
141	if (no_glob \|\| glob(argv[argc], flags, NULL, &gl))	144	if (no_glob \|\| glob(argv[argc], flags, NULL, &gl))
142	gargv[gargc++] = strdup(argv[argc]);	145	gargv[gargc++] = strdup(argv[argc]);
143	else	146	else
144	for (pop = gl.gl_pathv; *pop; pop++)	147	for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
145	gargv[gargc++] = strdup(*pop);	148	gargv[gargc++] = strdup(*pop);
146	globfree(&gl);	149	globfree(&gl);
147	}	150	}

Return to bug 24810