From 068c25d8f6db0cbd0aa4668f45b2135a4b83f8b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ekl=C3=B6f?= Date: Tue, 29 Mar 2022 18:22:08 +0200 Subject: [PATCH] module/script: open comm-pipe + /dev/null with CLOEXEC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures we don’t leak FDs when exec:ing e.g. on-click handlers. Note that the comm-pipe FD is *supposed* to stay open when we execing the script. This is handled by the call to dup2(), which drops the CLOEXEC flag. Since dup2() is called after the fork, the dup:ed FD is never visible in the “parent” yambar process. --- modules/script.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/script.c b/modules/script.c index 254aac4..5b3b51a 100644 --- a/modules/script.c +++ b/modules/script.c @@ -396,7 +396,7 @@ execute_script(struct module *mod) /* Stdout redirection pipe */ int comm_pipe[2]; - if (pipe(comm_pipe) < 0) { + if (pipe2(comm_pipe, O_CLOEXEC) < 0) { LOG_ERRNO("failed to create stdin/stdout redirection pipe"); close(exec_pipe[0]); close(exec_pipe[1]); @@ -444,7 +444,7 @@ execute_script(struct module *mod) close(comm_pipe[0]); /* Re-direct stdin/stdout */ - int dev_null = open("/dev/null", O_RDONLY); + int dev_null = open("/dev/null", O_RDONLY | O_CLOEXEC); if (dev_null < 0) goto fail;