use strtonum() to parse numeric option values instead of atoi()

looks reasonable to deraadt
ok/improvements bluhm@

add "-V none" to prevent making any backups

from FreeBSD

ok bluhm deraadt

Fix unveil(2) in patch(1) with explicit patchfile.

A backup file should be created in the directory of the original
file, but only the current directory was unveiled. Then the patched
file was crea

Fix unveil(2) in patch(1) with explicit patchfile.

A backup file should be created in the directory of the original
file, but only the current directory was unveiled. Then the patched
file was created in /tmp and did not replace the original patchfile
in place. If a patchfile is passed in argv[0], unveil its directory
instead of current directory.

OK florian@ deraadt@ millert@

show more ...

Partially fix interactive mode in patch

If ask() can't open /dev/tty for reading, it assumes the default answer
and carries on. Add missing unveil, so that ask() waits for an answer.
This isn't a fu

Partially fix interactive mode in patch

If ask() can't open /dev/tty for reading, it assumes the default answer
and carries on. Add missing unveil, so that ask() waits for an answer.
This isn't a full fix since it won't allow giving paths outside the tree
rooted at the current directory, but that's expected by the recent change.
Questions are only asked outside of force or batch mode.

fix suggested by op and semarie
ok deraadt florian

show more ...

Prevent patch(1) from scribbling all over the place.

Arguably the only sensible use of patch(1) is changing files in the
current working directory and subdirectories.

However, patch(1) has this ant

Prevent patch(1) from scribbling all over the place.

Arguably the only sensible use of patch(1) is changing files in the
current working directory and subdirectories.

However, patch(1) has this anti-feature, or dare I say bug, where it
will happily follow "../" upwards and outside of the current working
directory to find files to change. All it takes is a line like
+++ ../../../../home/florian/.ssh/authorized_keys
in the patchfile.

patch(1) operates on untrusted input and it already pledge(2)'ed to
not execute arbitrary programs, but of course it needs to write
files.

A simple unveil(".", "rwc") restricts patch(1) to its current working
directory.

We also need to allow /tmp and potentially the output file and reject
file if given on the command line. But those paths are safe.

input op, deraadt
OK millert, sthen

show more ...

Use ssize_t instead of short for line lengths

sthen hit a binary patch containing a 'line' of length > 32kB. This made
the short used for storing the line length wrap and resulted in a buffer
underf

Use ssize_t instead of short for line lengths

sthen hit a binary patch containing a 'line' of length > 32kB. This made
the short used for storing the line length wrap and resulted in a buffer
underflow and segfault. This uses a larger type, which doesn't actually
fix the problem, but makes it much less likely to be hit.

ok florian otto sthen

show more ...

fix locate_hunk in empty files

if `first_guess' is zero then main() assumes that locate_hunk has failed
and aborts the patch operation. Instead, make sure to return 1 (the
line number) so that the

fix locate_hunk in empty files

if `first_guess' is zero then main() assumes that locate_hunk has failed
and aborts the patch operation. Instead, make sure to return 1 (the
line number) so that the patch operation can continue.

Issue originally found by Neels Hofmeyr in the regress suite of the diff
implementation for got, where the tests assume that applying a diff with
`patch' and then again with `patch -R' yields back the original file.

ok stsp@

show more ...

fix dwim for reversed patches

patch(1) fails to recognize the reversal application of a patch that
cerates a file. since an empty context always matches, the idea is to
run the dwim ("do what I mea

fix dwim for reversed patches

patch(1) fails to recognize the reversal application of a patch that
cerates a file. since an empty context always matches, the idea is to
run the dwim ("do what I mean") code also when locate_hunk succeeds but
the patch would create a file and the match is on the first line.
fixes the (disabled) test t3.

ok stsp@

show more ...

Use getline(3) to handle lines longer than 8192 bytes in patch files

Spotted by jsg@ when working on mesa. Diff tested by sthen@ in
a partial i386 bulk. Input from and ok jsg@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

mkstemp() returns -1 on failure

Add --dry-run as synonym to -C/--check.

FreeBSD and NetBSD has this for a while, and GNU patch got it even earlier
than we got -C.

input from sthen@ & jca@; okay sthen@, jca@ and deraadt@.

Remove unused pathnames.h header since patch was refactoring into not invoking
ed back in 2015; ok millert@ tb@ tobias@

rejname[] is also -r option buffer, and should be PATH_MAX
ok millert

usage() should exit 2 here, not EXIT_SUCCESS
ok tb@

fix exit status on pledge(2) failure.

OK tb@ jsg@

exit() after perror() for pledge failure. Perhaps this got introduced
as a test idiom, either when pledge was young or during the transition
to strings.... dunno

Add native support for ed-style diffs. No need to pledge "proc exec" anymore.

ok deraadt

Change all tame callers to namechange to pledge(2).

patch(1) can move to "stdio rpath wpath cpath tmppath fattr proc exec"
(adding proc exec), now that "exec" has arrived in the kernel. This
permits the dangerous game of feeding ed-style diffs with p

patch(1) can move to "stdio rpath wpath cpath tmppath fattr proc exec"
(adding proc exec), now that "exec" has arrived in the kernel. This
permits the dangerous game of feeding ed-style diffs with popen() via
/bin/ed. Shocked yet? Your mission, should you choose to accept it,
is to replace this code with an builtin ed-style patcher, maybe cribbing
code from ed itself.

I'm sorry, but we can't fix the entire world all at once. Noone loves
deprecating standarized features as much as we do, but there are some
lines. Maybe if people become aware of how crappy the implimentations
of some standard features are, they could help decide the path.

show more ...

remove tame "proc". it is not useful, because the "ed" diffs require
fork+execve, and execve is not going to become available in this fashion.
ed diffs should be handled using a built-in handler, an

remove tame "proc". it is not useful, because the "ed" diffs require
fork+execve, and execve is not going to become available in this fashion.
ed diffs should be handled using a built-in handler, and various folks
have been discussing this behind the scenes.

show more ...

As pointed out by tobiasu, ed-style patches still use popen() and execute
/bin/ed. This is RETARDED. Nothing learned from the last year?

Add tame "proc" until that is fixed, to allow fork+exec.

I

As pointed out by tobiasu, ed-style patches still use popen() and execute
/bin/ed. This is RETARDED. Nothing learned from the last year?

Add tame "proc" until that is fixed, to allow fork+exec.

I beg for someone to cross-link the guts of ed directly into patch, or
write a ed-subset which can do the job.

show more ...

patch appears to work fully with tame "stdio rpath wpath cpath tmppath fattr".
in case of exploitation, no more network access, fork, execve, etc.
I wonder if we could use whitepath lists here - if i

patch appears to work fully with tame "stdio rpath wpath cpath tmppath fattr".
in case of exploitation, no more network access, fork, execve, etc.
I wonder if we could use whitepath lists here - if it is reasonable to
limit operation in directories known early on?

show more ...

The function savestr allows NULL return values during Plan A patching so in
case of out of memory conditions, Plan B can step in. In many cases, NULL
value is not properly handled, so use xstrdup he

The function savestr allows NULL return values during Plan A patching so in
case of out of memory conditions, Plan B can step in. In many cases, NULL
value is not properly handled, so use xstrdup here (it's outside Plan A/B
patching, which means that even Plan B relies on successful operations).

show more ...

spaces