lib: convert relative filenames to absolute in n_d_index_file

The API docs promise to handle relative filenames, but the code did
not do it.

Also check for files outside the mail root, as implied by the API
description.

This fixes the bug reported at

     id:87sgdqo0rz.fsf@tethera.net
This commit is contained in:
David Bremner 2020-07-18 21:11:28 -03:00
parent be3f4aec3f
commit c477d7ce31
2 changed files with 37 additions and 5 deletions

View file

@ -64,21 +64,37 @@ _notmuch_message_file_open_ctx (notmuch_database_t *notmuch,
if (unlikely (message == NULL)) if (unlikely (message == NULL))
return NULL; return NULL;
message->filename = talloc_strdup (message, filename); const char *prefix = notmuch_database_get_path (notmuch);
if (prefix == NULL)
goto FAIL;
if (*filename == '/') {
if (strncmp (filename, prefix, strlen(prefix)) != 0) {
_notmuch_database_log (notmuch, "Error opening %s: path outside mail root\n",
filename);
errno = 0;
goto FAIL;
}
message->filename = talloc_strdup (message, filename);
} else {
message->filename = talloc_asprintf(message, "%s/%s", prefix, filename);
}
if (message->filename == NULL) if (message->filename == NULL)
goto FAIL; goto FAIL;
talloc_set_destructor (message, _notmuch_message_file_destructor); talloc_set_destructor (message, _notmuch_message_file_destructor);
message->stream = g_mime_stream_gzfile_open (filename); message->stream = g_mime_stream_gzfile_open (message->filename);
if (message->stream == NULL) if (message->stream == NULL)
goto FAIL; goto FAIL;
return message; return message;
FAIL: FAIL:
_notmuch_database_log (notmuch, "Error opening %s: %s\n", if (errno)
filename, strerror (errno)); _notmuch_database_log (notmuch, "Error opening %s: %s\n",
filename, strerror (errno));
_notmuch_message_file_close (message); _notmuch_message_file_close (message);
return NULL; return NULL;

View file

@ -258,7 +258,6 @@ test_expect_equal_file EXPECTED OUTPUT
generate_message '[filename]=relative_path' generate_message '[filename]=relative_path'
test_begin_subtest "index file (relative path)" test_begin_subtest "index file (relative path)"
test_subtest_known_broken
cat c_head - c_tail <<'EOF' | test_C ${MAIL_DIR} cat c_head - c_tail <<'EOF' | test_C ${MAIL_DIR}
{ {
notmuch_message_t *msg; notmuch_message_t *msg;
@ -273,4 +272,21 @@ cat <<EOF > EXPECTED
EOF EOF
test_expect_equal_file EXPECTED OUTPUT test_expect_equal_file EXPECTED OUTPUT
test_begin_subtest "index file (absolute path outside mail root)"
cat c_head - c_tail <<'EOF' | test_C ${MAIL_DIR}
{
notmuch_message_t *msg;
stat = notmuch_database_index_file (db, "/dev/zero", NULL, &msg);
printf ("%d\n", stat == NOTMUCH_STATUS_FILE_ERROR);
}
EOF
cat <<EOF > EXPECTED
== stdout ==
1
== stderr ==
Error opening /dev/zero: path outside mail root
EOF
test_expect_equal_file EXPECTED OUTPUT
test_done test_done