mirrors/maomaowm
1
0
Fork 0
mirror of https://github.com/DreamMaoMao/maomaowm.git synced 2026-06-19 14:33:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Harden session launch command recovery

Browse source
This commit is contained in:
cheerfulScumbag 2026-03-23 19:09:13 +00:00
parent cbfaf4a84a
commit cef9c3ea31
3 changed files with 380 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

27
src/session/session.c
View file

@ -82,6 +82,23 @@ static char *session_file_path(void) {
return path;
}
static bool session_file_is_trusted(const char *path) {
struct stat st;
uid_t uid = getuid();
if (!path || stat(path, &st) != 0)
return false;
if (!S_ISREG(st.st_mode))
return false;
if (st.st_uid != uid)
return false;
if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0)
return false;
return true;
}
static void free_pending_entries(void) {
free(pending_entries);
pending_entries = NULL;
@ -275,6 +292,16 @@ static bool load_pending_entries(void) {
if (!path)
return false;
if (access(path, F_OK) != 0)
goto cleanup;
if (!session_file_is_trusted(path)) {
fprintf(stderr,
"mango session: refusing to restore from untrusted session file: %s\n",
path);
goto cleanup;
}
in = fopen(path, "r");
if (!in)
goto cleanup;