$NetBSD: patch-ag,v 1.4 2004/10/22 19:32:35 jmmv Exp $

This diff is taken from the url below:
http://cvs.sourceforge.net/viewcvs.py/xdvi/xdvik/texk/xdvik/xdvizilla?r1=text&tr1=1.2&r2=text&tr2=1.10&diff_format=u

===================================================================
RCS file: /cvsroot/xdvi/xdvik/texk/xdvik/xdvizilla,v
retrieving revision 1.2
retrieving revision 1.10
diff -u -r1.2 -r1.10
--- texk/xdvik/xdvizilla	2002/10/12 13:29:17	1.2
+++ texk/xdvik/xdvizilla	2004/02/24 22:37:37	1.10
@@ -1,11 +1,68 @@
 #! /bin/sh
-
+#
 # This is a kludge to fix helper apps in mozilla.  See mozilla bugs #57420
 # and also #78919.
-
+#
 # It's also useful for tar files with Netscape 4.x
+#
+# Copyright (c) 2002-2004  Paul Vojta
+# 
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL PAUL VOJTA OR ANY OTHER AUTHOR OF OR CONTRIBUTOR TO
+# THIS SOFTWARE BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+# Some changes suggested by Thomas Esser included by
+# <stefanulrich@users.sourceforge.net>.
 
+IN_FILE=
 NO_RM=
+TMP_DIR=
+progname=xdvizilla
+
+do_cleanup()
+{
+    exitval=$?
+    if [ -z "$NO_RM" -a -n "$IN_FILE" ] ; then
+	rm -f "$IN_FILE"
+    fi
+    test -n "$TMP_DIR" && rm -rf "$TMP_DIR"
+    exit $exitval
+}
+
+do_abort()
+{
+    xmessage -nearmouse "$progname: $1"
+    do_cleanup
+    exit 1
+}
+
+usage()
+{
+    xmessage -nearmouse "Usage: $progname [-no-rm] <file>"
+    do_cleanup
+    exit 1
+}
+
+trap 'do_cleanup' 1 2 3 7 13 15
+
+### create a temporary directory only read/writable by user
+TMP_DIR=${TMP-/tmp}/$progname.$$
+(umask 077; mkdir "$TMP_DIR") || do_abort "Could not create directory \`$TMP_DIR'"
 
 if [ $# -gt 1 -a "x$1" = "x-no-rm" ]; then
   NO_RM=y
@@ -13,8 +70,7 @@
 fi
 
 if [ $# -ne 1 ]; then
-  xmessage -nearmouse 'Usage: xdvizilla [-no-rm] <file>'
-  exit 1
+  usage
 fi
 
 DIR=`dirname "$0"`
@@ -27,55 +83,52 @@
   DIR=
 fi
 
-FILE=$1
-FILETYPE=`file "$FILE"`
-
-case "$FILETYPE" in
-
-  *"gzip compressed data"*)
-    FILE=/tmp/xdvizilla$$
-    gunzip -c "$1" > $FILE
-    [ -n "$NO_RM" ] || rm -f -- "$1"
-    NO_RM=
-    FILETYPE=`file "$FILE"`
-    ;;
-
-  *"compressed data"* | *"compress'd data"*)
-    FILE=/tmp/xdvizilla$$
-    uncompress -c "$1" > $FILE
-    [ -n "$NO_RM" ] || rm -f -- "$1"
-    NO_RM=
-    FILETYPE=`file "$FILE"`
-    ;;
-
-  "$1: empty")
-    xmessage -nearmouse "$1 is an empty file
-(this is a bug in Mozilla)"
-    [ -n "$NO_RM" ] || rm -f -- "$1"
-    exit 1
-    ;;
-
-esac
-
-case "$FILETYPE" in
-
-  *" tar archive")
-    TARDIR=/tmp/xdvitar$$
-    mkdir $TARDIR
-    cat "$FILE" | (cd $TARDIR; tar xf -)
-    DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`
-    [ -n "$NO_RM" ] || rm -f -- "$FILE"
-    if [ -z "$DVINAME" ]; then
-      xmessage -nearmouse "Tar file does not contain a dvi file"
-    else
-      (cd $TARDIR; "$DIR"xdvi -safer "$DVINAME")
-    fi
-    rm -rf $TARDIR
-  ;;
+# need to preserve IN_FILE for eventual deletion
+IN_FILE="$1"
+TMP_FILE="$IN_FILE"
+
+while [ 1 ]; do
+    [ -f "$TMP_FILE" ] || do_abort "$TMP_FILE: File not found."    
+    FILETYPE=`file "$TMP_FILE"`
+    case "$FILETYPE" in
+    *"gzip compressed data"*)
+        out="$TMP_DIR"/tmp-gz
+        gunzip -c "$TMP_FILE" > "$out"
+        TMP_FILE="$out"
+        ;;
+    *"compressed data"* | *"compress'd data"*)
+        out="$TMP_DIR"/tmp-compress
+        uncompress -c "$TMP_FILE" > "$out"
+        TMP_FILE="$out"
+        ;;
+    "$TMP_FILE: empty")
+        do_abort "$TMP_FILE is an empty file
+(probably a bug in Mozilla?)"
+        ;;
+    *" tar archive")
+	### do sanity checks on the tar archive, to avoid overwriting user files:
+	dangerous=`tar tf "$TMP_FILE" | egrep '^(/|.*\.\./)'`
+	[ -z "$dangerous" ] || do_abort "Tar file contains files with absolute paths or \`../' components,
+which may overwrite user files. Not unpacking it."
+        ### also check for gzipped DVI files inside the archive ...
+        out="$TMP_DIR"/`tar tf "$TMP_FILE" | egrep '\.(dvi|dvi.gz|dvi.Z)$' | head -1`
+        if [ -z "$out" ]; then
+	    do_abort "Tar file does not contain a dvi file."
+        else
+	    cat "$TMP_FILE" | (cd "$TMP_DIR"; tar xf -)
+	    TMP_FILE="$out"
+        fi
+        ;;
+    *"DVI file"*)
+        "$DIR"xdvi -safer "$TMP_FILE"
+        break
+        ;;
+    *)
+        do_abort "$TMP_FILE: Unrecognized file format!"
+        ;;
+    esac
+done
 
-  *)
-    "$DIR"xdvi -safer "$FILE"
-    [ -n "$NO_RM" ] || rm -f -- "$FILE"
-  ;;
+do_cleanup
 
-esac
+exit 0
