From aa34925f54754b5a6535ca0e062723825863f88d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= <daniel@ekloef.se>
Date: Mon, 2 Nov 2020 19:12:26 +0100
Subject: [PATCH] module/script: close all unrelated FDs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

While most FDs are CLOEXEC, not all are. For example, other script
modules’ re-direction pipes.
---
 modules/script.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/script.c b/modules/script.c
index da11a80..e18570e 100644
--- a/modules/script.c
+++ b/modules/script.c
@@ -479,6 +479,16 @@ run(struct module *mod)
         close(comm_pipe[1]);
         comm_pipe[1] = -1;
 
+        /* Close *all* other FDs */
+        for (int i = STDERR_FILENO + 1; i < 65536; i++) {
+            if (i == exec_pipe[1]) {
+                /* Needed for error reporting. Automatically closed
+                 * when execvp() succeeds */
+                continue;
+            }
+            close(i);
+        }
+
         execvp(m->path, argv);
 
     fail: