Hi all, On 18/06/16 10:54, Gisle Vanem wrote: > Eli Zaretskii wrote: > >> IMO, this test should be bypassed on Windows. The "world" part in >> "world-writeable" is a Unix-centric notion, and its translation into >> MS-Windows ACLs is non-trivial (read: "impossible"). (For example, >> your "non-world-writeable" file is accessible to certain users and >> groups of users on Windows, other than Administrator.) So the sanest >> solution for this is simply not to make this test on Windows. > > Makes sense. I agree. >
Patch attached. We still check whether the file exists. Best regards, - AJ
From 6c8abe30eb39ad4313a851f9b46457249cf5e726 Mon Sep 17 00:00:00 2001 From: Ander Juaristi <[email protected]> Date: Sun, 26 Jun 2016 17:43:28 +0200 Subject: [PATCH] Bypass world-writable checks on Windows * src/hsts.c (hsts_file_access_valid): we should check for "world-writable" files only on Unix-based systems. It's difficult to mimic the same behavior on Windows, so it's better to just not do it. Reported-by: Gisle Vanem <[email protected]> Reported-by: Eli Zaretskii <[email protected]> --- src/hsts.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/hsts.c b/src/hsts.c index 4d748ac..a0087a6 100644 --- a/src/hsts.c +++ b/src/hsts.c @@ -348,7 +348,15 @@ hsts_file_access_valid (const char *filename) if (stat (filename, &st) == -1) return false; - return !(st.st_mode & S_IWOTH) && S_ISREG (st.st_mode); + return +#ifndef WINDOWS + /* + * The world-writable concept is a Unix-centric notion. + * We bypass this test on Windows. + */ + !(st.st_mode & S_IWOTH) && +#endif + S_ISREG (st.st_mode); } /* HSTS API */ -- 2.1.4
signature.asc
Description: OpenPGP digital signature
