Bug 841, CVE-2006-5925: Prevent enabling the SMB protocol.

src/protocol/smb/smb.c: Added #error directives so that this
vulnerable code cannot be accidentally compiled in.

features.conf: Disable CONFIG_SMB by default and explain why.

configure.in: If CONFIG_SMB is enabled, disable it and warn the user.
This is for people who have customized features.conf.

configure.in

@@ -1246,7 +1246,13 @@ EL_ARG_ENABLE(CONFIG_NNTP, nntp, [NNTP protocol],
 	      [  --enable-nntp           enable nntp protocol support])
 
 EL_ARG_DEPEND(CONFIG_SMB, smb, [HAVE_SMBCLIENT:yes], [SMB protocol],
-	      [  --disable-smb           disable SMB protocol support (requires smbclient)])
+	      [  --enable-smb            not currently allowed])
+dnl	      [  --disable-smb           disable SMB protocol support (requires smbclient)])
+if test "$CONFIG_SMB" != no; then
+  AC_MSG_WARN([Ignoring --enable-smb because of vulnerability CVE-2006-5925.
+If you want to use SMB, please vote for bug 844 or post a patch.])
+  CONFIG_SMB=no
+fi
 
 
 EL_ARG_ENABLE(CONFIG_MOUSE, mouse, [Mouse handling],

features.conf

@@ -373,9 +373,15 @@ CONFIG_NNTP=no
 # will need to install Samba (or at least just the smbclient part, if you can
 # install it separately).
 #
-# Default: enabled if smbclient will be found
+# Unfortunately, ELinks doesn't yet properly validate the file name passed to
+# smbclient, and this caused vulnerability CVE-2006-5925 (bug 841).  To close
+# the vulnerability, configure.in now disables the SMB protocol regardless
+# of what you specify here.  If you would like to fix the code so that the
+# protocol can be safely enabled again, please see bug 844.
+#
+# Default: disabled
 
-CONFIG_SMB=yes
+CONFIG_SMB=no
 
 
 ### Cascading Style Sheets

src/protocol/smb/smb.c

@@ -4,6 +4,9 @@
 #define _GNU_SOURCE /* Needed for asprintf() */
 #endif
 
+#error SMB protocol support is vulnerable to CVE-2006-5925.  Do not use.
+#error If you want to use SMB, please vote for bug 844 or post a patch.
+
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif