From dc1be4c559bb2cfef9fe923a77b3cb474c196358 Mon Sep 17 00:00:00 2001
From: Einhard Leichtfuß <alguien@respiranto.de>
Date: Mon, 3 Dec 2018 21:23:24 +0100
Subject: Treat temporary file with care

Particularly in case somebody uses de-/encrypting {input,ouput}_program,
it is important that the temporary file containing the decrypted data
remains only accessible by the current user and is deleted when no
longer needed.
---
 ctct.in | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'ctct.in')

diff --git a/ctct.in b/ctct.in
index a98561a..624566c 100644
--- a/ctct.in
+++ b/ctct.in
@@ -57,6 +57,12 @@ usage:
 EOF
 }
 
+function cleanup()
+{
+	test -v tmp_file && test -f "$tmp_file" && rm "$tmp_file"
+}
+trap cleanup EXIT
+
 function main()
 {
 	if ! test -d "$datadir" && ! mkdir "$datadir"
@@ -208,13 +214,13 @@ function search_file()
 
 function list_all()
 {
-	# NEW
+	# Use find instead of ls to avoid listing non-regular files.
 	find "$datadir" -maxdepth 1 -type f | sed 's|.*/||'
 }
 
 function edit_file()
 {
-	local file tmp_file editor new=false
+	local file editor new=false
 	
 	if ! file="$datadir/$(get_filename "$1")"
 	then
@@ -244,10 +250,12 @@ function edit_file()
 		"$editor" "$file"
 	else
 		tmp_file="$(mktemp)"
+		chmod 600 "$tmp_file"
 		# output_program may contain further arguments:
 		! $new && eval "$output_program" < "$file" > "$tmp_file"
 		"$editor" "$tmp_file"
 		eval "$input_program" < "$tmp_file" > "$file"
+		rm "$tmp_file" && unset tmp_file
 	fi
 }
 
-- 
cgit v1.2.3