Do not execute group-/world-writeable playlist and metadata scripts.

git-svn-id: https://svn.xiph.org/trunk/ezstream@12712 0101bb08-14d6-0310-b084-bc0e0c8e3800

NEWS

@@ -7,6 +7,7 @@ Changes in 0.4.0, (SVN trunk):
  * src/playlist.*:
    - [FIX]   An error compareable to the one about xfree() in src/util.* has
              been fixed.
+   - [MISC]  Refuse to execute a group- or world-writeable playlist script.
 
  * src/compat.c:
    - [ADD]   Implement a basename() function for Windows that behaves like the

src/metadata.c

@@ -364,6 +364,12 @@ metadata_program(const char *program)
 		metadata_free(&md);
 		return (NULL);
 	}
+	if (st.st_mode & (S_IWGRP | S_IWOTH)) {
+		printf("%s: Error: %s is group and/or world writeable\n",
+		       __progname, program);
+		metadata_free(&md);
+		return (NULL);
+	}
 	if (!(st.st_mode & (S_IEXEC | S_IXGRP | S_IXOTH))) {
 		printf("%s: %s: Not an executable program\n", __progname, program);
 		metadata_free(&md);

src/playlist.c

@@ -218,6 +218,12 @@ playlist_program(const char *filename)
 		playlist_free(&pl);
 		return (NULL);
 	}
+	if (st.st_mode & (S_IWGRP | S_IWOTH)) {
+		printf("%s: Error: %s is group and/or world writeable\n",
+		       __progname, filename);
+		playlist_free(&pl);
+		return (NULL);
+	}
 	if (!(st.st_mode & (S_IEXEC | S_IXGRP | S_IXOTH))) {
 		printf("%s: %s: Not an executable program\n", __progname, filename);
 		playlist_free(&pl);