Index: main.c =================================================================== RCS file: /cvs/src/src/gdb/main.c,v retrieving revision 1.87 diff -u -p -r1.87 main.c --- main.c 22 Sep 2010 19:59:15 -0000 1.87 +++ main.c 23 Nov 2010 17:34:33 -0000 @@ -796,7 +796,7 @@ Excess command line arguments ignored. ( debugging or what directory you are in. */ if (home_gdbinit && !inhibit_gdbinit) - catch_command_errors (source_script, home_gdbinit, 0, RETURN_MASK_ALL); + catch_command_errors (source_script, home_gdbinit, -1, RETURN_MASK_ALL); /* Now perform all the actions indicated by the arguments. */ if (cdarg != NULL) @@ -870,7 +870,7 @@ Can't attach to process and specify a co /* Read the .gdbinit file in the current directory, *if* it isn't the same as the $HOME/.gdbinit file (it should exist, also). */ if (local_gdbinit && !inhibit_gdbinit) - catch_command_errors (source_script, local_gdbinit, 0, RETURN_MASK_ALL); + catch_command_errors (source_script, local_gdbinit, -1, RETURN_MASK_ALL); /* Now that all .gdbinit's have been read and all -d options have been processed, we can read any scripts mentioned in SYMARG. Index: cli/cli-cmds.c =================================================================== RCS file: /cvs/src/src/gdb/cli/cli-cmds.c,v retrieving revision 1.105 diff -u -p -r1.105 cli-cmds.c --- cli/cli-cmds.c 27 Jul 2010 20:33:40 -0000 1.105 +++ cli/cli-cmds.c 23 Nov 2010 17:34:34 -0000 @@ -39,6 +39,7 @@ #include "source.h" #include "disasm.h" #include "tracepoint.h" +#include "gdb_stat.h" #include "ui-out.h" @@ -483,11 +484,19 @@ Script filename extension recognition is search for it in the source search path. NOTE: This calls openp which uses xfullpath to compute the full path - instead of gdb_realpath. Symbolic links are not resolved. */ + instead of gdb_realpath. Symbolic links are not resolved. + + If FROM_TTY is -1, then this script is being automatically loaded + at runtime, and a security check will be performed on the file + (supported only on hosts with HAVE_GETUID). + + TODO: Platforms without HAVE_GETUID (most notably Windows) are still + susceptible to executing untrusted script files until an appropriate + permissions check can be performed. */ int find_and_open_script (const char *script_file, int search_path, - FILE **streamp, char **full_pathp) + FILE **streamp, char **full_pathp, int from_tty) { char *file; int fd; @@ -513,6 +522,51 @@ find_and_open_script (const char *script return 0; } +#ifdef HAVE_GETUID + if (from_tty == -1) + { + struct stat statbuf; + + if (fstat (fd, &statbuf) < 0) + { + int save_errno = errno; + close (fd); + do_cleanups (old_cleanups); + errno = save_errno; + return 0; + } + + /* If our group ID matches the file, read it in + without warning/querying the user. */ +#ifdef HAVE_GETGID + if (statbuf.st_gid != getgid ()) +#endif + { + int ask = 0; + + if (statbuf.st_uid != getuid ()) + { + warning (_("file \"%s\" is not owned by you"), file); + ask = 1; + } + else if (statbuf.st_mode & S_IWOTH) + { + warning (_("file \"%s\" is world-writable"), file); + ask = 1; + } + + /* FILE gets freed by do_cleanups (old_cleanups). */ + if (ask && !nquery (_("Read file anyway? "))) + { + close (fd); + do_cleanups (old_cleanups); + errno = EPERM; + return 0; + } + } + } +#endif + do_cleanups (old_cleanups); *streamp = fdopen (fd, FOPEN_RT); @@ -572,13 +626,14 @@ source_script_with_search (const char *f if (file == NULL || *file == 0) error (_("source command requires file name of file to source.")); - if (!find_and_open_script (file, search_path, &stream, &full_path)) + if (!find_and_open_script (file, search_path, &stream, &full_path, + from_tty)) { /* The script wasn't found, or was otherwise inaccessible. If the source command was invoked interactively, throw an error. Otherwise (e.g. if it was invoked by a script), silently ignore the error. */ - if (from_tty) + if (from_tty > 0) perror_with_name (file); else return; Index: cli/cli-cmds.h =================================================================== RCS file: /cvs/src/src/gdb/cli/cli-cmds.h,v retrieving revision 1.16 diff -u -p -r1.16 cli-cmds.h --- cli/cli-cmds.h 2 May 2010 23:52:14 -0000 1.16 +++ cli/cli-cmds.h 23 Nov 2010 17:34:34 -0000 @@ -126,7 +126,8 @@ extern void source_script (char *, int); /* Exported to objfiles.c. */ extern int find_and_open_script (const char *file, int search_path, - FILE **streamp, char **full_path); + FILE **streamp, char **full_path, + int from_tty); /* Command tracing state. */ Index: python/py-auto-load.c =================================================================== RCS file: /cvs/src/src/gdb/python/py-auto-load.c,v retrieving revision 1.5 diff -u -p -r1.5 py-auto-load.c --- python/py-auto-load.c 22 Sep 2010 20:00:53 -0000 1.5 +++ python/py-auto-load.c 23 Nov 2010 17:34:34 -0000 @@ -219,7 +219,7 @@ source_section_scripts (struct objfile * } opened = find_and_open_script (file, 1 /*search_path*/, - &stream, &full_path); + &stream, &full_path, 1 /* from_tty */); /* If the file is not found, we still record the file in the hash table, we only want to print an error message once. Index: doc/gdb.texinfo =================================================================== RCS file: /cvs/src/src/gdb/doc/gdb.texinfo,v retrieving revision 1.776 diff -u -p -r1.776 gdb.texinfo --- doc/gdb.texinfo 23 Nov 2010 14:39:16 -0000 1.776 +++ doc/gdb.texinfo 23 Nov 2010 17:34:43 -0000 @@ -1286,6 +1286,11 @@ ports of @value{GDBN} use the standard n @file{gdb.ini} file, they warn you about that and suggest to rename the file to the standard name. +On some platorms, @value{GDBN} will perform security check of @file{.gdbinit} +before it is executed. If @file{.gdbinit} is not owned by the current user +or the file is world-writable, @value{GDBN} will warn the user and ask if +the file should be read anyway. These warnings are suppressed when the +group ID of the file's owner matches the group ID of the user. @node Quitting GDB @section Quitting @value{GDBN}