mirror of
https://github.com/xroche/httrack.git
synced 2026-07-11 19:36:52 +03:00
Compare commits
3 Commits
master
...
codeql-wor
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
81a27e713f | ||
|
|
a4b05a3f42 | ||
|
|
d6fcf51a57 |
6
.github/workflows/codeql.yml
vendored
6
.github/workflows/codeql.yml
vendored
@@ -43,6 +43,12 @@ jobs:
|
|||||||
languages: c-cpp
|
languages: c-cpp
|
||||||
build-mode: manual
|
build-mode: manual
|
||||||
queries: security-extended
|
queries: security-extended
|
||||||
|
# fopen's umask-controlled 0666 is intended for mirror/cache/log
|
||||||
|
# output; the one credential file (cookies.txt) is kept 0600 on Unix.
|
||||||
|
config: |
|
||||||
|
query-filters:
|
||||||
|
- exclude:
|
||||||
|
id: cpp/world-writable-file-creation
|
||||||
|
|
||||||
# Manual build: CodeQL traces the compiler, so build exactly what ships.
|
# Manual build: CodeQL traces the compiler, so build exactly what ships.
|
||||||
- name: Build
|
- name: Build
|
||||||
|
|||||||
@@ -307,14 +307,25 @@ int cookie_load(t_cookie * cookie, const char *fpath, const char *name) {
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
// écrire cookies.txt
|
/* Write cookies.txt; returns 0 on success. The jar holds live session
|
||||||
// !=0 : erreur
|
cookies, so keep it owner-only on Unix (Windows inherits folder ACLs). */
|
||||||
int cookie_save(t_cookie * cookie, const char *name) {
|
int cookie_save(t_cookie * cookie, const char *name) {
|
||||||
char catbuff[CATBUFF_SIZE];
|
char catbuff[CATBUFF_SIZE];
|
||||||
|
|
||||||
if (strnotempty(cookie->data)) {
|
if (strnotempty(cookie->data)) {
|
||||||
char BIGSTK line[8192];
|
char BIGSTK line[8192];
|
||||||
|
#ifdef _WIN32
|
||||||
FILE *fp = fopen(fconv(catbuff, sizeof(catbuff), name), "wb");
|
FILE *fp = fopen(fconv(catbuff, sizeof(catbuff), name), "wb");
|
||||||
|
#else
|
||||||
|
const int fd = open(fconv(catbuff, sizeof(catbuff), name),
|
||||||
|
O_WRONLY | O_CREAT | O_TRUNC, HTS_PROTECT_FILE);
|
||||||
|
FILE *fp = fd != -1 ? fdopen(fd, "wb") : NULL;
|
||||||
|
|
||||||
|
if (fd != -1 && fp == NULL)
|
||||||
|
close(fd); /* fdopen failed: don't leak the descriptor */
|
||||||
|
if (fp != NULL) /* O_CREAT's mode skips pre-existing jars: tighten those */
|
||||||
|
(void) fchmod(fd, HTS_PROTECT_FILE);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (fp) {
|
if (fp) {
|
||||||
char *a = cookie->data;
|
char *a = cookie->data;
|
||||||
|
|||||||
@@ -422,9 +422,10 @@ typedef int T_SOC;
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Permission bits for created folders and files (mkdir and chmod).
|
/* Permission bits for created folders and files (mkdir and chmod).
|
||||||
PROTECT_FOLDER is owner-only. With HTS_ACCESS set (the default) the ACCESS_
|
PROTECT_FOLDER/FILE are owner-only. With HTS_ACCESS set (the default) the
|
||||||
modes also grant group/other read; otherwise they stay owner-only. */
|
ACCESS_ modes also grant group/other read; otherwise they stay owner-only. */
|
||||||
#define HTS_PROTECT_FOLDER (S_IRUSR | S_IWUSR | S_IXUSR)
|
#define HTS_PROTECT_FOLDER (S_IRUSR | S_IWUSR | S_IXUSR)
|
||||||
|
#define HTS_PROTECT_FILE (S_IRUSR | S_IWUSR)
|
||||||
|
|
||||||
#if HTS_ACCESS
|
#if HTS_ACCESS
|
||||||
#define HTS_ACCESS_FILE (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
|
#define HTS_ACCESS_FILE (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
|
||||||
|
|||||||
@@ -1551,6 +1551,26 @@ static int st_cookies(httrackp *opt, int argc, char **argv) {
|
|||||||
err = 1;
|
err = 1;
|
||||||
if (strstr(hdr, "junk") != NULL) // wrong-domain cookie leaked
|
if (strstr(hdr, "junk") != NULL) // wrong-domain cookie leaked
|
||||||
err = 1;
|
err = 1;
|
||||||
|
#ifndef _WIN32
|
||||||
|
/* the jar holds live session cookies: cookie_save must keep it 0600 */
|
||||||
|
{
|
||||||
|
const char *jar = "st-cookies-jar.txt";
|
||||||
|
struct stat st;
|
||||||
|
|
||||||
|
(void) UNLINK(jar);
|
||||||
|
assertf(cookie_save(&cookie, jar) == 0);
|
||||||
|
assertf(stat(jar, &st) == 0);
|
||||||
|
assertf((st.st_mode & 07777) == HTS_PROTECT_FILE);
|
||||||
|
assertf(st.st_size > 0); /* mode-only checks would pass an empty jar */
|
||||||
|
/* a pre-existing world-readable jar must be tightened, not kept */
|
||||||
|
assertf(chmod(jar, 0644) == 0);
|
||||||
|
assertf(cookie_save(&cookie, jar) == 0);
|
||||||
|
assertf(stat(jar, &st) == 0);
|
||||||
|
assertf((st.st_mode & 07777) == HTS_PROTECT_FILE);
|
||||||
|
assertf(st.st_size > 0);
|
||||||
|
(void) UNLINK(jar);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
printf("cookie-header: %s\n", err ? "FAIL" : "OK");
|
printf("cookie-header: %s\n", err ? "FAIL" : "OK");
|
||||||
if (err)
|
if (err)
|
||||||
printf(" got: %s\n", hdr);
|
printf(" got: %s\n", hdr);
|
||||||
|
|||||||
Reference in New Issue
Block a user