Move compinit security checks into compaudit.

2 files changed, 149 insertions, 55 deletions

diff --git a/Completion/Core/compaudit b/Completion/Core/compaudit
new file mode 100644
index 000000000..4ea31af58
--- /dev/null
+++ b/Completion/Core/compaudit
@@ -0,0 +1,130 @@
+# So that this file can also be read with `.' or `source' ...
+compaudit() {                           # Define and then call
+
+# Audit the fpath to assure that it contains all the directories needed by
+# the completion system, and that those directories are at least unlikely
+# to contain dangerous files.  This is far from perfect, as the modes or
+# ownership of files or directories might change between the time of the
+# audit and the time the function is executed.
+
+# This function is designed to be called from compinit, which assumes that
+# it is in the same directory, i.e., it can be autoloaded from the initial
+# fpath as compinit was.  Most local parameter names in this function must
+# therefore be the same as those used in compinit.
+
+emulate -L zsh
+setopt extendedglob
+
+# The positional parameters are the directories to check, else fpath.
+if (( $# )); then
+  local _compdir=''
+elif (( $#fpath == 0 )); then
+  print 'compaudit: No directories in $fpath, cannot continue' 1>&2
+  return 1
+else
+  set -- $fpath
+fi
+
+# _i_check is defined by compinit; used here as a test for whether this
+# function is running standalone or was called by compinit.  If called
+# by compinit, we use parameters that are defined in compinit's scope,
+# otherwise we make them local here.
+(( $+_i_check )) || {
+  local _i_q _i_line _i_file _i_fail=verbose
+  local -a _i_files _i_addfiles _i_wdirs _i_wfiles
+  local -a -U +h fpath
+}
+
+fpath=( $* )
+
+# _compdir may be defined by the user; see the compinit documentation.
+# If it isn't defined, we want it to point somewhere sensible, but the
+# user is allowed to set it to empty to bypass the check below.
+(( $+_compdir )) || {
+  local _compdir=${fpath[(r)*/$ZSH_VERSION/*]}
+  [[ -z $_compdir ]] && _compdir=$fpath[1]
+  [[ -d $_compdir/../Core ]] && _compdir=${_compdir:h}
+}
+
+_i_wdirs=()
+_i_wfiles=()
+
+_i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
+if [[ -n $_compdir ]]; then
+  if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then
+    # Too few files: we need some more directories, or we need to check
+    # that all directories (not just Core) are present.
+    _i_addfiles=()
+    if [[ $_compdir = */Core ]]; then
+      # Add all the Completion subdirectories
+      _i_addfiles=(${_compdir:h}/*(/))
+    elif [[ -d $_compdir/Core ]]; then
+      # Likewise
+      _i_addfiles=(${_compdir}/*(/))
+    fi
+    for _i_line in {1..$#i_addfiles}; do
+      _i_file=${_i_addfiles[$_i_line]}
+      [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
+        _i_addfiles[$_i_line]=
+    done
+    fpath=($fpath $_i_addfiles)
+    _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
+  fi
+fi
+
+[[ $_i_fail == use ]] && return 0
+
+# RedHat Linux "per-user groups" check.  This is tricky, because it's very
+# difficult to tell whether the sysadmin has put someone else into your
+# "private" group (e.g., via the default group field in /etc/passwd, or
+# by NFS group sharing with an untrustworthy machine).  So we must assume
+# that this has not happened, and pick the best group.
+
+local GROUP GROUPMEM _i_pw _i_gid
+while IFS=: read GROUP _i_pw _i_gid GROUPMEM; do
+  if (( UID == EUID )); then
+    [[ $GROUP == $LOGNAME ]] && break
+  else
+    (( _i_gid == EGID )) && break       # Somewhat arbitrary
+  fi
+done < /etc/group
+
+# We search for:
+# - world/group-writable directories in fpath not owned by root and the user
+# - parent-directories of directories in fpath that are world/group-writable
+#   and not owned by root and the user (that would allow someone to put a
+#   digest file for one of the directories into the parent directory)
+# - digest files for one of the directories in fpath not owned by root and
+#   the user
+# - and for files in directories from fpath not owned by root and the user
+#   (including zwc files)
+
+if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]; then
+  _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID})
+             ${^fpath}/..(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) )
+else
+  _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
+             ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) )
+fi
+_i_wdirs=( $_i_wdirs ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) )
+_i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) )
+
+case "${#_i_wdirs}:${#_i_wfiles}" in
+(0:0) _i_q= ;;
+(0:*) _i_q=files ;;
+(*:0) _i_q=directories ;;
+(*:*) _i_q='directories and files' ;;
+esac
+
+if [[ -n "$_i_q" ]]; then
+  [[ $_i_fail == verbose ]] && {
+    print There are insecure ${_i_q}: 1>&2
+    print -l - $_i_wdirs $_i_wfiles
+  }
+  return 1
+fi
+return 0
+
+}                                       # Define and then call
+
+compaudit "$@"
diff --git a/Completion/Core/compinit b/Completion/Core/compinit
index 61128af01..de11c8f8c 100644
--- a/Completion/Core/compinit
+++ b/Completion/Core/compinit
@@ -1,10 +1,11 @@
 # Initialisation for new style completion. This mainly contains some helper
 # functions and aliases. Everything else is split into different files that
-# will automatically be made autoloaded (see the end of this file).
-# The names of the files that will be considered for autoloading have to
-# start with an underscores (like `_setopt').
-# The first line of these files will be read and has to say what should be
-# done with its contents:
+# will automatically be made autoloaded (see the end of this file).  The
+# names of the files that will be considered for autoloading are those that
+# begin with an underscores (like `_setopt').
+#
+# The first line of each of these files is read and must indicate what
+# should be done with its contents:
 #
 #   `#compdef <names ...>'
 #     If the first line looks like this, the file is autoloaded as a
@@ -57,6 +58,13 @@
 # the end).  This takes the dumpfile as an argument.  -d (with the
 # default dumpfile) is now the default; to turn off dumping use -D.
 
+# The -C flag bypasses both the check for rebuilding the dump file and the
+# usual call to compaudit; the -i flag causes insecure directories found by
+# compaudit to be ignored, and the -u flag causes all directories found by
+# compaudit to be used (without security checking).  Otherwise the user is
+# queried for whether to use or ignore the insecure directories (which
+# means compinit should not be called from non-interactive shells).
+
 emulate -L zsh
 setopt extendedglob
 
@@ -321,57 +329,13 @@ typeset _i_wdirs _i_wfiles
 _i_wdirs=()
 _i_wfiles=()
 
+autoload -U compaudit
 if [[ -n "$_i_check" ]]; then
-  _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
-  if [[ $#_i_files -lt 20 || $_compdir = */Core || -d $_compdir/Core ]]; then
-    # Too few files:  we need some more directories,
-    # or we need to check that all directories (not just Core) are present.
-    if [[ -n $_compdir ]]; then
-      _i_addfiles=()
-      if [[ $_compdir = */Core ]]; then
-        # Add all the Completion subdirectories
-        _i_addfiles=(${_compdir:h}/*(/))
-      elif [[ -d $_compdir/Core ]]; then
-        # Likewise
-        _i_addfiles=(${_compdir}/*(/))
-      fi
-      for _i_line in {1..$#i_addfiles}; do
-        _i_file=${_i_addfiles[$_i_line]}
-        [[ -d $_i_file && -z ${fpath[(r)$_i_file]} ]] ||
-          _i_addfiles[$_i_line]=
-      done
-      fpath=($fpath $_i_addfiles)
-      _i_files=( ${^~fpath:/.}/^([^_]*|*~|*.zwc)(N) )
-    fi
-  fi
-  if [[ "$_i_fail" != use ]]; then
-    typeset _i_q
-
-    # We search for:
-    # - world/group-writable directories in fpath not owned by root and the user
-    # - parent-directories of directories in fpath that are world/group-writable
-    #   and not owned by root and the user (that would allow someone to put a
-    #   digest file for one of the directories into the parent directory)
-    # - digest files for one of the directories in fpath not owned by root and
-    #   the user
-    # - and for files in directories from fpath not owned by root and the user
-    #   (including zwc files)
-
-    _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
-               ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID})
-               ${^fpath}.zwc^([^_]*|*~)(N^u0u${EUID}) )
-    _i_wfiles=( ${^fpath}/^([^_]*|*~)(N^u0u${EUID}) )
-
-    case "${#_i_wdirs}:${#_i_wfiles}" in
-    0:0) _i_q= ;;
-    0:*) _i_q=files ;;
-    *:0) _i_q=directories ;;
-    *:*) _i_q='directories and files' ;;
-    esac
-
+  typeset _i_q
+  if ! eval compaudit; then
     if [[ -n "$_i_q" ]]; then
       if [[ "$_i_fail" = ask ]]; then
-        if ! read -q "?There are insecure $_i_q, continue [ny]? "; then
+        if ! read -q "?There are insecure $_i_q, use them anyway [ny]? "; then
           unfunction compinit compdef
           unset _comp_dumpfile _comp_secure compprefuncs comppostfuncs \
                 _comps _patcomps _postpatcomps _compautos _lastcomp
@@ -461,7 +425,7 @@ if [[ ${_i_line[2]} = expand-or-complete ]] &&
   bindkey '^i' complete-word
 fi
 
-unfunction compinit
-autoload -U compinit
+unfunction compinit compaudit
+autoload -U compinit compaudit
 
 return 0