Another day, another cyrus bug :(
Bron Gondwana
brong at fastmail.fm
Mon Jan 5 23:38:01 EST 2009
This one is a doozy.
mboxlist_lookup returns a live pointer to a malloc'ed copy of the
acl. So far so good.
Except (I presume to reduce memory management effort for callers of
the function) this value is overwritten next time you call
mboxlist_lookup again.
So - user_renameacl was clever. It got the acl and proceeded to
replace the \t values with \0, and pass through the "rights" string
to mboxlist_setacl.
Which promptly called mboxlist_lookup AGAIN.
So basically the user would get all their own ACLs, plus any ACL
character that existed in either the usernames or acls of any user
after them in the ACL string. v'classy.
I figure the easy fix is just to take a copy of the acl with xstrdup.
The better fix would be a less insanely dangerous API with
action-at-a-distance on existing copies of the string. C gives you
enough rope to shoot yourself in the foot (excuse my metaphores), we
don't need to help it out!
Bron.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aclfix.diff
Type: text/x-diff
Size: 1301 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20090106/737c8738/attachment.bin
More information about the Cyrus-devel
mailing list