This patch fixes a security issue in scrollkeeper.  It will be integrated
into the next release.

--- cl/src/get-cl.c	2002/02/25 08:23:14	1.18
+++ cl/src/get-cl.c	2002/09/22 07:13:59	1.19
@@ -27,6 +27,7 @@
 #include <unistd.h>
 #include <sys/stat.h>
 #include <locale.h>
+#include <fcntl.h>
 
 /* cycles through five temporary filenames of the form /tmp/scrollkeeper-templfile.x,
    where x is number from 0 to 4 and returns the first one that does not exist or the
@@ -35,7 +36,7 @@
 static char *get_next_free_temp_file_path(char outputprefs)
 {
 	char path[PATHLEN], *filename;
-	int i, num;
+	int i, num, fd;
 	struct stat buf;
 	time_t prev;
 	
@@ -82,6 +83,17 @@
 	check_ptr(filename, "scrollkeeper-get-cl");
 	snprintf(filename, PATHLEN, "/tmp/scrollkeeper-tempfile.%d", num);
 
+	unlink(filename);
+	
+	fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_NONBLOCK,
+		  S_IRWXU | S_IRGRP | S_IROTH);
+
+	if (fd < 0) {
+	        fprintf (stderr, _("scrollkeeper-get-cl: Cannot open temp file: %s\n"), filename);
+		exit (EXIT_FAILURE);
+	}
+	close(fd);
+	
 	return filename;
 }
 
--- libs/extract.c.orig	Wed Jul 24 22:25:34 2002
+++ libs/extract.c	Thu Jan 16 01:39:54 2003
@@ -43,16 +43,18 @@
 	int i;
 	int returnval = 1;
 	FILE *fid;
+	struct stat buf;
 #ifndef SOLARIS
 	char line[1024], *start, *end;
 	int num;
 	FILE *res_fid;
 	char *doctype;
 	char command[1024];
-	pid_t pid;
 	char temp1[PATHLEN], temp2[PATHLEN], errors[PATHLEN];
+	int temp1_fd, temp2_fd, errors_fd;
 #endif
-	struct stat buf;
+
+	setenv("XML_CATALOG_FILES", SK_XML_CATALOGS, 1);
 
 	if (input_file == NULL ||
 	    stylesheets == NULL ||
@@ -69,11 +71,23 @@
 #ifdef SOLARIS
 		doc = docbParseFile(input_file, NULL);
 #else
-		pid = getpid();		
-		
-		snprintf(temp1, PATHLEN, "/var/tmp/scrollkeeper-extract-1-%ld.xml", (long)pid);
-		snprintf(temp2, PATHLEN, "/var/tmp/scrollkeeper-extract-2-%ld.xml", (long)pid);
-		snprintf(errors, PATHLEN, "/var/tmp/scrollkeeper-extract-errors-%ld", (long)pid);		
+		snprintf(temp1, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-1.xml.XXXXXX");
+		snprintf(temp2, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-2.xml.XXXXXX");
+		snprintf(errors, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-errors.XXXXXX");
+
+		temp1_fd = mkstemp(temp1);
+		printf ("%s\n", temp1);
+		if (temp1_fd == -1) {
+			sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),temp1, strerror(errno));
+			return 0;
+		}
+		  
+		errors_fd = mkstemp(errors);
+		if (errors_fd == -1) {
+			sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),errors, strerror(errno));
+			return 0;
+		}
+		close(errors_fd);
 
 		snprintf(command, 1024, "sgml2xml -xlower -f%s %s > %s", errors, input_file, temp1);
 		system(command);
@@ -83,6 +97,7 @@
 		fid = fopen(input_file, "r");
 		if (fid == NULL) {
 			sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot read file: %s : %s\n"),input_file, strerror(errno));
+		        close(temp1_fd);
 			return 0;
 		}
 
@@ -106,14 +121,25 @@
 		}
 		
 		if (doctype == NULL) {
+		        close(temp1_fd);
 			unlink(temp1);
 			return 0;		
 		}
-		
-		fid = fopen(temp1, "r");
-		res_fid = fopen(temp2, "w");
+
+		temp2_fd = mkstemp(temp2);
+		if (temp2_fd == -1) {
+		        close(temp1_fd);
+			unlink(temp1);
+			sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),temp2, strerror(errno));
+			return 0;
+		}
+
+		fid = fdopen(temp1_fd, "r");
+		res_fid = fdopen(temp2_fd, "w");
 		if (fid == NULL || res_fid == NULL) {
+		        close(temp1_fd);
 			unlink(temp1);
+		        close(temp2_fd);
 			unlink(temp2);
 			return 0;
 		}
--- libs/Makefile.in.orig	Thu Jan 16 01:38:23 2003
+++ libs/Makefile.in	Thu Jan 16 01:47:46 2003
@@ -130,7 +130,9 @@
 INCLUDES = \
         $(XML_CFLAGS) \
 	$(XSLT_CFLAGS) \
-	$(HOST_TYPE)
+	$(HOST_TYPE) \
+	-DSCROLLKEEPER_STATEDIR=\""$(localstatedir)"\" \
+	-DSK_XML_CATALOGS=\""%%LOCALBASE%%/share/sk/catalog %%LOCALBASE%%/share/sk/docbook/catalog"\"
 
 
 libscrollkeeper_la_SOURCES = \
