Another day, another cyrus bug :(
brong at fastmail.fm
Mon Jan 5 23:38:01 EST 2009
This one is a doozy.
mboxlist_lookup returns a live pointer to a malloc'ed copy of the
acl. So far so good.
Except (I presume to reduce memory management effort for callers of
the function) this value is overwritten next time you call
So - user_renameacl was clever. It got the acl and proceeded to
replace the \t values with \0, and pass through the "rights" string
Which promptly called mboxlist_lookup AGAIN.
So basically the user would get all their own ACLs, plus any ACL
character that existed in either the usernames or acls of any user
after them in the ACL string. v'classy.
I figure the easy fix is just to take a copy of the acl with xstrdup.
The better fix would be a less insanely dangerous API with
action-at-a-distance on existing copies of the string. C gives you
enough rope to shoot yourself in the foot (excuse my metaphores), we
don't need to help it out!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1301 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20090106/737c8738/attachment.bin
More information about the Cyrus-devel