--- groff-1.16/src/roff/troff/input.cc.safer Wed Jun 7 21:47:48 2000 +++ groff-1.16/src/roff/troff/input.cc Wed Jun 7 21:50:37 2000 @@ -90,6 +90,8 @@ static int inhibit_errors = 0; static int ignoring = 0; +static int safer_flag = 1; // safer by default + static void enable_warning(const char *); static void disable_warning(const char *); @@ -4404,12 +4406,28 @@ else { while (!tok.newline() && !tok.eof()) tok.next(); - errno = 0; - FILE *fp = fopen(nm.contents(), "r"); - if (fp) - input_stack::push(new file_iterator(fp, nm.contents())); - else - error("can't open `%1': %2", nm.contents(), strerror(errno)); + char cbuf[PATH_MAX], * cwd; + char pbuf[PATH_MAX], * path; + struct stat st; + + if ((cwd = realpath(".", cbuf)) == NULL) + error("realpath on `%1' failed: %2", ".", strerror(errno)); + else if ((path = realpath(nm.contents(), pbuf)) == NULL) + error("realpath on `%1' failed: %2", nm.contents(), strerror(errno)); + else if (safer_flag && strncmp(cwd, path, strlen(cwd))) + error("won't source `%1' outside of `%2' without -U flag", path, cwd); + else if (stat(path, &st) < 0) + error("can't stat `%1': %2", path, strerror(errno)); + else if (safer_flag && !S_ISREG(st.st_mode)) + error("won't source non-file `%1' without -U flag", path); + else { + errno = 0; + FILE *fp = fopen(path, "r"); + if (fp) + input_stack::push(new file_iterator(fp, nm.contents())); + else + error("can't open `%1': %2", path, strerror(errno)); + } tok.next(); } } @@ -5669,7 +5687,6 @@ int tflag = 0; int fflag = 0; int nflag = 0; - int safer_flag = 1; // safer by default int no_rc = 0; // don't process troffrc and troffrc-end int next_page_number; opterr = 0;