10626 – security: broadcast document to the world on pdf/fax ouput

Issue 10626 - security: broadcast document to the world on pdf/fax ouput

Summary: security: broadcast document to the world on pdf/fax ouput

Status:	CLOSED FIXED

Alias:	None

Product:	gsl
Classification:	Code
Component:	code (show other issues)
Version:	OOo 1.0.2
Hardware:	PC Linux, all

Importance:	P3 Trivial (vote)
Target Milestone:	OOo 1.1 Beta
Assignee:	philipp.lohmann
QA Contact:	issues@gsl

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-01-13 15:10 UTC by mmeeks
Modified:	2003-02-18 10:27 UTC (History)
CC List:	2 users (show)

See Also:
Issue Type:	DEFECT
Latest Confirmation in:	---
Developer Difficulty:	---

Attachments
Patch to fix daft security hole (1.21 KB, patch) 2003-01-13 15:23 UTC, mmeeks	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description mmeeks 2003-01-13 15:10:17 UTC

salprnpsp.cxx gets the psprint code to write to a tmpname eg. /tmp/fileNNNNN,
which means that the entire document is written to a world readable /tmp/file
before it's sent.

To replicate, use spadmin to setup a fax / pdf printer, poke at /tmp/ while it's
printing - and marvel as well at the _two_ files fileNNNN and fileNNNN.ps
(identical lengths) that it dumps out - both with the document in (presumably).

While these are deleted afterwards - for any significantly sized document, (and
given the duplicate printing) it should be easy to grab a link to the document
while it's being printed.

This bug also affects StarOffice 6.0

Comment 1 mmeeks 2003-01-13 15:23:34 UTC

Created attachment 4284 [details]
Patch to fix daft security hole

Comment 2 philipp.lohmann 2003-01-13 15:57:34 UTC

Thank you for calling me daft. If you bothered to look at the link
count of those "two" files you would see that they are actually only one.

Comment 3 philipp.lohmann 2003-01-13 18:05:41 UTC

fixed in CWS vcl03

Comment 4 mmeeks 2003-01-14 09:25:28 UTC

Sounds like I offended you - sorry. I didn't call you daft ( which is
a very mild word incidentally ) - I called the code daft - which it
was :-) We all write such things; in fact my suggested patch didn't
fix another problem in the mkstemp path; the template string there
needs to contain some XXXXXs I believe thus we're missing a:

strcpy (tmpfilename, "fileXXXXXX");

Without that I still get problems on Linux printing.

I see the 'link' statment in passFileToCommandLine now - so it's only
output once indeed: Trying to help ... a thankless task it seems.

Comment 5 philipp.lohmann 2003-01-14 09:37:16 UTC

No problem. At times i actually am a bit daft :-). Regarding the
mkstemp issue i wrote to the IRIX people who invented it, but never
got an answer. I wonder why the FreeBSD people simply set onto the
same path, but didn't want to simply kick out their code.

What are your other Linux printing problems ?

And thank you for helping.

Comment 6 philipp.lohmann 2003-01-24 12:17:15 UTC

verified in vcl03

Comment 7 philipp.lohmann 2003-02-18 10:27:13 UTC

seen in 644m3