head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.12 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.10 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.8 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.6 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.4 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.2 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.1.0.10 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.8 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.6 pkgsrc-2008Q2-base:1.1 cwrapper:1.1.0.4 pkgsrc-2008Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2008.12.06.18.40.33; author wiz; state dead; branches; next 1.1; 1.1 date 2008.04.19.14.28.46; author tonnerre; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2008.04.19.14.28.46; author rtr; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2008.04.20.08.51.34; author rtr; state Exp; branches; next ; desc @@ 1.2 log @Update to 4.0.0: Comix 4.0.0 - Comix has been completely rewritten from scratch. On the surface things look quite a bit like they used to, but the internal workings are entirely new. There are too many changes for them all to be mentioned here, but a couple of highlights are a much more functional library and a new archive editing dialog. The work on this new version of Comix has been going on in rather sporadic phases for almost two years, and during that time I have received help from lots of different people. Now, I must admit, I can no longer remember them all. So instead of trying to list as many as I can here, I will instead simply say thank you to everyone who have contributed fixes, patches, suggestions or encouraging words. Thanks! @ text @$NetBSD: patch-aa,v 1.1 2008/04/19 14:28:46 tonnerre Exp $ Fix insecure temporary file handling in comicthumb utility. Eliminate insufficient escaping on shell calls for rar archives/jpegtran. --- mime/comicthumb.orig +++ mime/comicthumb @@@@ -22,6 +22,10 @@@@ import StringIO import re import shutil + +import subprocess +import tempfile + try: import Image except: @@@@ -48,9 +52,13 @@@@ sys.exit(1) # temp directory needed for multiple archives -if not os.path.exists('/tmp/comicthumb/'): - os.makedirs('/tmp/comicthumb/') - os.chmod('/tmp/comicthumb/', 0700) +#if not os.path.exists('/tmp/comicthumb/'): +# os.makedirs('/tmp/comicthumb/') +# os.chmod('/tmp/comicthumb/', 0700) +_tmp_dir = tempfile.mkdtemp(prefix='comixthumb', suffix=os.sep, + dir = '/tmp') +_tmp_dir += "/" + # return the first image in the list def first_image (filelist): @@@@ -101,10 +109,10 @@@@ else: subarchive = first_archive(zipfiles) if subarchive: - output = open("/tmp/comicthumb/archive%d" % (depth), "wb") + output = open( _tmp_dir + "archive%d" % (depth), "wb") output.write(zip.read(subarchive)) output.close() - return get_image("/tmp/comicthumb/archive%d" % (depth), + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) elif tarfile.is_tarfile(compressed_file): TYPE = TYPE or 'cbt' @@@@ -119,10 +127,10 @@@@ else: subarchive = first_archive(tarfiles) if subarchive: - output = open("/tmp/comicthumb/archive%d" % (depth), "wb") + output = open( _tmp_dir + "archive%d" % (depth), "wb") output.write(tar.extractfile(subarchive).read()) output.close() - return get_image("/tmp/comicthumb/archive%d" % (depth), + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) elif open(compressed_file, 'rb').read(4) == 'Rar!': TYPE = TYPE or 'cbr' @@@@ -138,20 +146,36 @@@@ if not rar: print "You must install unrar or rar to thumbnail RAR archives." sys.exit(1) - rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() + #rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() + rarfiles = subprocess.Popen([rar, 'vb', compressed_file], + stdout=subprocess.PIPE).communicate()[0].splitlines() for i in range(len(rarfiles)): rarfiles[i] = rarfiles[i].rstrip("\n") rarfiles.sort() cover = guessCover(rarfiles) if cover: - picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' - % (rar, compressed_file, cover), "r").read()) + #picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' + #% (rar, compressed_file, cover), "r").read()) + picture = StringIO.StringIO(subprocess.Popen( + [rar, 'p', '-inul', '--', compressed_file, cover], + stdout=subprocess.PIPE).stdout.read()) else: subarchive = first_archive(rarfiles) if subarchive: - os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' - % (rar, compressed_file, subarchive, depth), "r") - return get_image("/tmp/comicthumb/archive%d" % (depth), + #os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' + #% (rar, compressed_file, subarchive, depth), "r") + filen = _tmp_dir + "archive%d"%(depth) + try: + os.remove(filen) + except: + pass + fp = open(filen, 'w') + fdp = fp.fileno() + subprocess.Popen( + [rar, 'p', '-inul', '--', compressed_file, subarchive], + stdout = fdp).wait() + fp.close() + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) return picture @@@@ -207,8 +231,8 @@@@ exit_flag = 1 # remove tempory stuff -if os.path.isdir('/tmp/comicthumb/'): - shutil.rmtree('/tmp/comicthumb/') +if os.path.isdir(_tmp_dir): + shutil.rmtree(_tmp_dir) # and exit sys.exit(exit_flag) only in patch2: unchanged: @ 1.1 log @Fix insecure temporary file handling in comic and comicthumb utilities. Eliminate insufficient escaping on shell calls for rar archives/jpegtran. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-aa was added on branch pkgsrc-2008Q1 on 2008-04-20 08:51:34 +0000 @ text @d1 117 @ 1.1.2.2 log @pullup ticket #2340 - requested by tonnerre fix temprorary file handling, shell escaping Revisions pulled up: - pkgsrc/graphics/comix/Makefile 1.11 - pkgsrc/graphics/comix/distinfo 1.10 - pkgsrc/graphics/comix/patches/patch-aa 1.1 - pkgsrc/graphics/comix/patches/patch-ab 1.1 Module Name: pkgsrc Committed By: tonnerre Date: Sat Apr 19 14:28:46 UTC 2008 Modified Files: pkgsrc/graphics/comix: Makefile distinfo Added Files: pkgsrc/graphics/comix/patches: patch-aa patch-ab Log Message: Fix insecure temporary file handling in comic and comicthumb utilities. Eliminate insufficient escaping on shell calls for rar archives/jpegtran. @ text @a0 117 $NetBSD: patch-aa,v 1.1 2008/04/19 14:28:46 tonnerre Exp $ Fix insecure temporary file handling in comicthumb utility. Eliminate insufficient escaping on shell calls for rar archives/jpegtran. --- mime/comicthumb.orig +++ mime/comicthumb @@@@ -22,6 +22,10 @@@@ import StringIO import re import shutil + +import subprocess +import tempfile + try: import Image except: @@@@ -48,9 +52,13 @@@@ sys.exit(1) # temp directory needed for multiple archives -if not os.path.exists('/tmp/comicthumb/'): - os.makedirs('/tmp/comicthumb/') - os.chmod('/tmp/comicthumb/', 0700) +#if not os.path.exists('/tmp/comicthumb/'): +# os.makedirs('/tmp/comicthumb/') +# os.chmod('/tmp/comicthumb/', 0700) +_tmp_dir = tempfile.mkdtemp(prefix='comixthumb', suffix=os.sep, + dir = '/tmp') +_tmp_dir += "/" + # return the first image in the list def first_image (filelist): @@@@ -101,10 +109,10 @@@@ else: subarchive = first_archive(zipfiles) if subarchive: - output = open("/tmp/comicthumb/archive%d" % (depth), "wb") + output = open( _tmp_dir + "archive%d" % (depth), "wb") output.write(zip.read(subarchive)) output.close() - return get_image("/tmp/comicthumb/archive%d" % (depth), + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) elif tarfile.is_tarfile(compressed_file): TYPE = TYPE or 'cbt' @@@@ -119,10 +127,10 @@@@ else: subarchive = first_archive(tarfiles) if subarchive: - output = open("/tmp/comicthumb/archive%d" % (depth), "wb") + output = open( _tmp_dir + "archive%d" % (depth), "wb") output.write(tar.extractfile(subarchive).read()) output.close() - return get_image("/tmp/comicthumb/archive%d" % (depth), + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) elif open(compressed_file, 'rb').read(4) == 'Rar!': TYPE = TYPE or 'cbr' @@@@ -138,20 +146,36 @@@@ if not rar: print "You must install unrar or rar to thumbnail RAR archives." sys.exit(1) - rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() + #rarfiles = os.popen('%s vb "%s"' % (rar, compressed_file)).readlines() + rarfiles = subprocess.Popen([rar, 'vb', compressed_file], + stdout=subprocess.PIPE).communicate()[0].splitlines() for i in range(len(rarfiles)): rarfiles[i] = rarfiles[i].rstrip("\n") rarfiles.sort() cover = guessCover(rarfiles) if cover: - picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' - % (rar, compressed_file, cover), "r").read()) + #picture = StringIO.StringIO(os.popen('%s p -inul -- "%s" "%s"' + #% (rar, compressed_file, cover), "r").read()) + picture = StringIO.StringIO(subprocess.Popen( + [rar, 'p', '-inul', '--', compressed_file, cover], + stdout=subprocess.PIPE).stdout.read()) else: subarchive = first_archive(rarfiles) if subarchive: - os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' - % (rar, compressed_file, subarchive, depth), "r") - return get_image("/tmp/comicthumb/archive%d" % (depth), + #os.popen('%s p -inul -- "%s" "%s" > "/tmp/comicthumb/archive%d"' + #% (rar, compressed_file, subarchive, depth), "r") + filen = _tmp_dir + "archive%d"%(depth) + try: + os.remove(filen) + except: + pass + fp = open(filen, 'w') + fdp = fp.fileno() + subprocess.Popen( + [rar, 'p', '-inul', '--', compressed_file, subarchive], + stdout = fdp).wait() + fp.close() + return get_image( _tmp_dir + "archive%d" % (depth), depth + 1) return picture @@@@ -207,8 +231,8 @@@@ exit_flag = 1 # remove tempory stuff -if os.path.isdir('/tmp/comicthumb/'): - shutil.rmtree('/tmp/comicthumb/') +if os.path.isdir(_tmp_dir): + shutil.rmtree(_tmp_dir) # and exit sys.exit(exit_flag) only in patch2: unchanged: @