Stuart Henderson said:
> > - in mime detection code uses pledge(2) + libmagic(3) as first choice
> > and execl(3) + file(1) as second
>
> er, we were trying to get rid of libmagic use...
As I see it, we are trying to solve security issues related to the fact
that libmagic may be tricked into executing code from inspected file.
The solution, as discussed earlier, was to use file(1) with its own
parser of magic database. That said, it was observed that libmagic
gives better results then our file(1) with our magic database. Thus
previous approach was to split the ports into two flavors: secure
(file(1) only) and usable (libmagic).
This diff puts libmagic-interfacing code into subprocess with
pledge("stdio rpath"), so that libmagic can't harm user in meaningful
way. If it tries to do something funny, it gets killed, and
execl("/usr/bin/file", ...) is used instead. I think this way users are
served better then with either of ports above.
--
Dmitrij D. Czarkoff
