Re: Help fixes & Misc.

From: Pavel Roskin <proski gnu org>
To: "Andrew V. Samoilov" <kai cmail ru>
Cc: sav itws8 gca usb zp ua, mc-devel gnome org
Subject: Re: Help fixes & Misc.
Date: Fri, 30 Aug 2002 02:32:02 -0400 (EDT)

Hello!

Please disregard the reply sent in private.  This discussion should be
kept open.

> >>a) This one has nothing to do with the help browser, but with the
> >>viewer. Go to mc.1 and try F3-F8-F8. No fix included, it was out of my
> >>way...
> > 
> > This goes to my TODO list.  Not sure if I can do it before 4.6.0 release.  
> > Any help will be appreciated.
> 
> Looks like another security issue. Malicious user can put script with 
> the same name.  May be file permissions and ownership must be checked 
> before execute.

Yes.  But it's not such a big issue to discuss it privately.  The user has
to do something unusual (pressing F8 twice), and the attacker must act
within a certain time interval (after the file was opened in the viewer).

The script should not be re-run if we don't preserve it.  Pressing F8 
essentially restarts the viewer.  Possible solutions:

1) Get rid of the scripts, use system() or something like that.  The
reason to use scripts was to enforce Bourne shell syntax (see comment in
ext.c).  But I think that all advanced scripting should be kept out of 
mc.ext.

2) Preserve scripts until the viewer exits.

3) Create a new script.

4) Disable F8 when it would require re-running the script.

The current viewer code is too complicated to be modified safely.  In
particular, there are several global variables, modified both in view.c
and outside it.  Look for example at altered_magic_flag - it is set to 1
in view.c and reset to 0 in view_file_at_line() in cmd.c, but not always -
it's left unchanged if plain view is not forced, but the internal 
viewer is still used.

I'll try to simplify those dependencies - maybe it will give me a better 
understanding of the code.

If not the security issue, I'd rather wait until we rewrite mc.ext 
support, when it would be clear if the scripts are still needed.  But I 
think we'll have to do something before the next release.

> May be we need ability to show original mc.hlp.

LC_ALL=C man mc

Should be sufficuent for most users who are not satisfied with the
translations.

> BTW there are a lot of .IR, .BR and etc in Polish mc.1.in.
> As far as know SCO's man/mandoc does not support then, as far as man2hlp 
> (easy to implement, and we need better .IP handling).

I think it's better to replace those macros.

> And I would like to see some machinery to choose what translated manuals 
> and help files to install.

Follow-Ups:
- Re: Help fixes & Misc.
  - From: Andrew V. Samoilov

References:
- Re: Help fixes & Misc.
  - From: Andrew V. Samoilov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]