From 178a5c31992e06ea90143053285a104ed15115d3 Mon Sep 17 00:00:00 2001
From: Jon Jensen <jon@endpoint.com>
Date: Mon, 7 Sep 2009 23:45:39 -0600
Subject: [PATCH] Disallow abuse of writes via ErrorFile when NoAbsolute is set

Exploit reported by Peter Ajamian.
(cherry picked from commit 9b6872cabea98440451efac8565f4050350116ef)
(cherry picked from commit 5dd0cf2a516f8edcea9212a7191fd776916f46df)
---
 dist/test/products/tests.asc | 23 +++++++++++++++++++++++
 lib/Vend/Util.pm             | 27 +++++++++++++++++----------
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/dist/test/products/tests.asc b/dist/test/products/tests.asc
index b46b934ef..8b398d151 100644
--- a/dist/test/products/tests.asc
+++ b/dist/test/products/tests.asc
@@ -4567,6 +4567,29 @@ Verify fix of AllowedFileRegex circumvention
 %%
 Verify fix of TemplateDir circumvention of NoAbsolute constraints
 %%%
+000168
+%%
+[if file /tmp/ic.bad.file]
+    The bad test file /tmp/ic.bad.file already exists!
+    Please delete it before re-running this test.
+[/if]
+[calcn]
+    my $oldfile = $Config->{ErrorFile};
+    $Config->{ErrorFile} = '/tmp/ic.bad.file';
+    Log 'This is a new file that is being created and written where it should not be.';
+    $Config->{ErrorFile} = $oldfile;
+    return;
+[/calcn]
+[if file /tmp/ic.bad.file]bad[else]good[/else][/if]ness
+%%
+goodness
+%%
+already exists
+%%
+
+%%
+Verify fix of ErrorFile circumvention of NoAbsolute constraints
+%%%
 999999
 %%
 [the test] [perl]
diff --git a/lib/Vend/Util.pm b/lib/Vend/Util.pm
index 2a6fe0b5e..63998fb95 100644
--- a/lib/Vend/Util.pm
+++ b/lib/Vend/Util.pm
@@ -1732,22 +1732,29 @@ sub logError {
 	$Vend::Errors .= $msg
 		if $Vend::Cfg->{DisplayErrors} || $Global::DisplayErrors;
 
-    eval {
-		open(MVERROR, ">> $opt->{file}")
-											or die "open\n";
-		lockfile(\*MVERROR, 1, 1)		or die "lock\n";
-		seek(MVERROR, 0, 2)				or die "seek\n";
-		print(MVERROR $msg, "\n")		or die "write to\n";
-		unlockfile(\*MVERROR)			or die "unlock\n";
-		close(MVERROR)					or die "close\n";
-    };
+    my $reason;
+    if (! allowed_file($opt->{file}, 1)) {
+        $@ = 'access';
+        $reason = 'prohibited by global configuration';
+    }
+    else {
+        eval {
+            open(MVERROR, ">> $opt->{file}")
+                                        or die "open\n";
+            lockfile(\*MVERROR, 1, 1)   or die "lock\n";
+            seek(MVERROR, 0, 2)         or die "seek\n";
+            print(MVERROR $msg, "\n")   or die "write to\n";
+            unlockfile(\*MVERROR)       or die "unlock\n";
+            close(MVERROR)              or die "close\n";
+        };
+    }
     if ($@) {
 		chomp $@;
 		logGlobal ({ level => 'info' },
 					"Could not %s error file %s: %s\nto report this error: %s",
 					$@,
 					$opt->{file},
-					$!,
+					$reason || $!,
 					$msg,
 				);
     }