Dima Ryazanov
2018-11-15 07:02:12 UTC
It's a bit surprising that Weston looks different when launched from the root
of the git repo vs from elsewhere.
But it's also technically a security vulnerability: if I launch it from
a directory like /tmp, it might pick up a weston.ini created by another user,
which could then load modules with arbitrary code. Basically, it's the same
problem as including "." in $PATH.
Signed-off-by: Dima Ryazanov <***@gmail.com>
---
man/weston.ini.man | 1 -
man/weston.man | 4 +---
shared/config-parser.c | 8 ++------
3 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/man/weston.ini.man b/man/weston.ini.man
index c12e0505..2171b960 100644
--- a/man/weston.ini.man
+++ b/man/weston.ini.man
@@ -27,7 +27,6 @@ server is started:
.B "weston/weston.ini in each"
.BR "\ \ \ \ $XDG_CONFIG_DIR " "(if $XDG_CONFIG_DIRS is set)"
.BR "/etc/xdg/weston/weston.ini " "(if $XDG_CONFIG_DIRS is not set)"
-.BR "<current dir>/weston.ini " "(if no variables were set)"
.fi
.RE
.PP
diff --git a/man/weston.man b/man/weston.man
index c09d4c2d..c1aa6476 100644
--- a/man/weston.man
+++ b/man/weston.man
@@ -261,14 +261,12 @@ See
.SH FILES
.
If the environment variable is set, the configuration file is read
-from the respective path, or the current directory if neither is set.
+from the respective path.
.PP
.BI $XDG_CONFIG_HOME /weston.ini
.br
.BI $HOME /.config/weston.ini
.br
-.I ./weston.ini
-.br
.
.\" ***************************************************************
.SH ENVIRONMENT
diff --git a/shared/config-parser.c b/shared/config-parser.c
index ae5f8035..7b1402d2 100644
--- a/shared/config-parser.c
+++ b/shared/config-parser.c
@@ -75,8 +75,7 @@ open_config_file(struct weston_config *c, const char *name)
}
/* Precedence is given to config files in the home directory,
- * and then to directories listed in XDG_CONFIG_DIRS and
- * finally to the current working directory. */
+ * then to directories listed in XDG_CONFIG_DIRS. */
/* $XDG_CONFIG_HOME */
if (config_dir) {
@@ -111,10 +110,7 @@ open_config_file(struct weston_config *c, const char *name)
next++;
}
- /* Current working directory. */
- snprintf(c->path, sizeof c->path, "./%s", name);
-
- return open(c->path, O_RDONLY | O_CLOEXEC);
+ return -1;
}
static struct weston_config_entry *
of the git repo vs from elsewhere.
But it's also technically a security vulnerability: if I launch it from
a directory like /tmp, it might pick up a weston.ini created by another user,
which could then load modules with arbitrary code. Basically, it's the same
problem as including "." in $PATH.
Signed-off-by: Dima Ryazanov <***@gmail.com>
---
man/weston.ini.man | 1 -
man/weston.man | 4 +---
shared/config-parser.c | 8 ++------
3 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/man/weston.ini.man b/man/weston.ini.man
index c12e0505..2171b960 100644
--- a/man/weston.ini.man
+++ b/man/weston.ini.man
@@ -27,7 +27,6 @@ server is started:
.B "weston/weston.ini in each"
.BR "\ \ \ \ $XDG_CONFIG_DIR " "(if $XDG_CONFIG_DIRS is set)"
.BR "/etc/xdg/weston/weston.ini " "(if $XDG_CONFIG_DIRS is not set)"
-.BR "<current dir>/weston.ini " "(if no variables were set)"
.fi
.RE
.PP
diff --git a/man/weston.man b/man/weston.man
index c09d4c2d..c1aa6476 100644
--- a/man/weston.man
+++ b/man/weston.man
@@ -261,14 +261,12 @@ See
.SH FILES
.
If the environment variable is set, the configuration file is read
-from the respective path, or the current directory if neither is set.
+from the respective path.
.PP
.BI $XDG_CONFIG_HOME /weston.ini
.br
.BI $HOME /.config/weston.ini
.br
-.I ./weston.ini
-.br
.
.\" ***************************************************************
.SH ENVIRONMENT
diff --git a/shared/config-parser.c b/shared/config-parser.c
index ae5f8035..7b1402d2 100644
--- a/shared/config-parser.c
+++ b/shared/config-parser.c
@@ -75,8 +75,7 @@ open_config_file(struct weston_config *c, const char *name)
}
/* Precedence is given to config files in the home directory,
- * and then to directories listed in XDG_CONFIG_DIRS and
- * finally to the current working directory. */
+ * then to directories listed in XDG_CONFIG_DIRS. */
/* $XDG_CONFIG_HOME */
if (config_dir) {
@@ -111,10 +110,7 @@ open_config_file(struct weston_config *c, const char *name)
next++;
}
- /* Current working directory. */
- snprintf(c->path, sizeof c->path, "./%s", name);
-
- return open(c->path, O_RDONLY | O_CLOEXEC);
+ return -1;
}
static struct weston_config_entry *
--
2.19.1
2.19.1