After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 329535 - tomboy script looks for executable in CWD
tomboy script looks for executable in CWD
Status: RESOLVED FIXED
Product: tomboy
Classification: Applications
Component: General
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Tomboy Maintainers
Tomboy Maintainers
Depends on:
Blocks:
 
 
Reported: 2006-02-01 22:43 UTC by Oskari Saarenmaa
Modified: 2008-02-26 20:49 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
patch to modify tomboy wrapper so it works with tomboy not in CWD (757 bytes, patch)
2006-03-06 21:23 UTC, Jon Dowland
none Details | Review
tomboy-cwd-exe.patch: Possible fix (1.47 KB, patch)
2006-11-21 07:18 UTC, Boyd Timothy
none Details | Review
tomboy-cwd-exe.patch: Checks that $PWD = @srcdir@ (1.02 KB, patch)
2006-11-21 14:44 UTC, Boyd Timothy
none Details | Review

Description Oskari Saarenmaa 2006-02-01 22:43:52 UTC
Upstreaming from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177677

Running the executables from CWD has security issues, bugs 328911 and 328909 are about the same problem with beagled and f-spot and include more details.
Comment 1 Jon Dowland 2006-03-06 21:23:16 UTC
Created attachment 60797 [details] [review]
patch to modify tomboy wrapper so it works with tomboy not in CWD

This is a patch for this issue (sort-of) that I submitted to the tomboy list a while back. It doesn't solve the security aspect of this problem (detailed in the beagle/f-spot bugs) which, for the benefit of this bug, is

* bad user creates a trojan tomboy.exe in /tmp (and a blank Makefile.am)
* good user is in /tmp and types tomboy
* wrapper script calls the trojan rather than the correct .exe

... but it does mean you can do ./Tomboy/tomboy from the @srcdir@ (rather than having to be in @srcdir@/Tomboy)
Comment 2 Boyd Timothy 2006-11-21 07:18:15 UTC
Created attachment 76964 [details] [review]
tomboy-cwd-exe.patch: Possible fix

Does something like this (borrowed from f-spot) satisfy the security problem?  Essentially, if you want to run an uninstalled (development) version of Tomboy, you have to start it with "tomboy --uninstalled" regardless of what directory you are in.  Maybe a bit inconvenient for developers but safer for end-users.
Comment 3 Alex Graveley 2006-11-21 11:00:43 UTC
Why not just check that the CWD = @srcdir@/Tomboy, and if so run a Tomboy.exe found therein?  Just have to replace @srcdir@ correctly when generating tomboy from tomboy.in.

I consider the --uninstalled thing to be rather heavy handed.
Comment 4 Boyd Timothy 2006-11-21 14:44:06 UTC
Created attachment 76972 [details] [review]
tomboy-cwd-exe.patch: Checks that $PWD = @srcdir@

Originally I tried this, but I got held up by @srcdir@ resolving to "." so I went the other route.  So, thanks for catching this, because $PWD resolves to a full path properly (which I was using in the previous patch).  This now works well (only runs "Uninstalled Tomboy" when $PWD is <full path to Tomboy source code>/Tomboy).
Comment 5 Boyd Timothy 2006-11-21 17:49:08 UTC
Checked-in the fix into latest CVS.