2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 2N/A * Use is subject to license terms. 2N/A#
pragma ident "%Z%%M% %I% %E% SMI" 2N/A * We want to prevent the use of NLSPATH by setugid applications but 2N/A * not completely. CDE depends on this very much. 2N/A * Yes, this is ugly. 2N/A * Routine to check the safety of a messages file. 2N/A * When the program specifies a pathname and doesn't 2N/A * use NLSPATH, it should specify the "safe" flag as 1. 2N/A * Most checks will be disabled then. 2N/A * fstat64 is done here and the stat structure is returned 2N/A * to prevent duplication of system calls. 2N/A * The trust return value contains an indication of 2N/A * trustworthiness (i.e., does check_format need to be called or 2N/A * If SAFE_F has been specified or NLSPATH is safe (or not set), 2N/A * set trust_path and trust the file as an initial value. 2N/A * Trust only files owned by root or bin (uid 2), except 2N/A * when specified as full path or when NLSPATH is known to 2N/A * Don't trust files writable by other or writable 2N/A * by non-bin, non-root system group. 2N/A * Don't trust these files even if the path is correct. 2N/A * Since we don't support changing uids/gids on our files, 2N/A * we hardcode them here for now. 2N/A * if the path is absolute and does not contain "/../", 2N/A * if the path belongs to the trusted system directory, 2N/A * If the owner is root or bin, set trust_owner. 2N/A * If the file is neither other-writable nor group-writable by 2N/A * non-bin and non-root system group, set trust_group. 2N/A * Even if UNSAFE_F has been specified and unsafe-NLSPATH 2N/A * has been set, trust the file as long as it belongs to 2N/A * the trusted system directory. 2N/A * file is not a full pathname, 2N/A * neither trust_owner nor trust_path is set, 2N/A * trust_group is not set, 2N/A * If set[ug]id process, open for the untrusted file should fail. 2N/A * Otherwise, the message extracted from the untrusted file 2N/A * will have to be checked by check_format(). 2N/A * if the path does not belong to the trusted system directory 2N/A * or if the owner is neither root nor bin, untrust it. 2N/A * Extract a format into a normalized format string. 2N/A * Returns the number of arguments converted, -1 on error. 2N/A * The string norm should contain 2N bytes; an upperbound is the 2N/A * length of the format string. 2N/A * The canonical format consists of two chars: one is the conversion 2N/A * character (s, c, d, x, etc), the second one is the option flag. 2N/A * L, ll, l, w as defined below. 2N/A * A special conversion character, '*', indicates that the argument 2N/A * is used as a precision specifier. 2N/A/* Number of bytes per canonical format entry */ 2N/A * Check and store the argument; allow each argument to be used only as 2N/A * one type even though printf allows multiple uses. The specification only 2N/A * allows one use, but we don't want to break existing functional code, 2N/A * even if it's buggy. 2N/A * This function extracts sprintf format into a canonical 2N/A * sprintf form. It's not as easy as just removing everything 2N/A * that isn't a format specifier, because of "%n$" specifiers. 2N/A * Ideally, this should be compatible with printf and not 2N/A * fail on bad formats. 2N/A * However, that makes writing a proper check_format that 2N/A * doesn't cause crashes a lot harder. 2N/A * If digits follow a '*', it is 2N/A * not loaded as an argument, the 2N/A * digits are used instead. 2N/A * Weird as it may seem, if we 2N/A * use an numbered argument, we 2N/A * get the next one if we have 2N/A /* Fail on two or more dots if we do strict checking */ 2N/A * Default message is NULL. 2N/A * dtmail uses NULL for default message. 2N/A "invalid format in gettext argument: \"%s\"",
torg);
2N/A "invalid format in message file \"%.100s\" -> \"%s\"",
2N/A "incompatible format in message file: \"%.100s\" != \"%s\"",
2N/A "dangerous format in message file: " 2N/A "incompatible format in message file \"%.100s\" != \"%s\"",
2N/A * s1 is either name, or name=value 2N/A * if names match, return value of s2, else NULL 2N/A * used for environment searching: see getenv 2N/A * Handle NLSPATH environment variables in the environment. 2N/A * The intention is to ignore NLSPATH in set-uid applications, 2N/A * and determine whether the NLSPATH in an application was set 2N/A * by the applications or derived from the user's environment. 2N/A /* can happen when processing a SunOS 4.x AOUT file */ 2N/A /* Find the first NLSPATH occurrence */ 2N/A if (!*p)
/* None found, we're safe */ 2N/A for (p++; (p[-
off] = p[0]) !=
'\0'; p++)