From d723cc008d7793334260e6ac0d7412ce13e1cf29 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Wed, 26 Dec 2007 14:18:17 +0000
Subject: .fetchmailrc/.fetchids may now be symlinks, Debian Bug#452907 (Roger
 Leigh).

svn path=/branches/BRANCH_6-3/; revision=5144
---
 NEWS       | 3 +++
 TODO.txt   | 3 +--
 rcfile_y.y | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index a5c4e4e8..ac45db7d 100644
--- a/NEWS
+++ b/NEWS
@@ -66,6 +66,9 @@ fetchmail 6.3.9 (not yet released):
 * No longer complain about invalid sslproto "" when POP3 CAPA probe fails.
   Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson).
   Thanks to Matthias Strauß for a configuration to reproduce the issue.
+* Allow .fetchmailrc and .fetchids to be symlinks, as the manpage does not
+  document they aren't allowed - fixes Debian Bug #452907 (Roger Leigh).
+  TOCTOU race persists.
 
 # CHANGES:
 * Removed dead FETCHMAIL_DEBUG code from fetchmail.h that was disabled by 
diff --git a/TODO.txt b/TODO.txt
index c54e788e..4be71f67 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -6,8 +6,6 @@ soon - MUST:
   Earl Chew, 2007-07-30T02:28)
 - publish SA-2007-02 after release
 - Peter O'Gorman 2007-10-31 fetchmail-6.3.8 portability patches [-devel list]
-- Debian Bug #452907 .fetchmailrc not permitted to be a symlink
-  (restriction not mentioned in manpage, also affects .idfile)
 
 soon - SHOULD:
 - BerliOS Bug #11576, thread on fetchmail users "Invalid SSL certificate" by
@@ -18,6 +16,7 @@ soon - SHOULD:
 - add To: header to warning mails (authfail for instance)
 - Debian Bug#449179, smbutil.c:90: unicodeToString: Assertion `len+1 < sizeof
   buf' failed, from Stepan Golosunov <stepan@golosunov.pp.ru>
+- Fix TOCTOU race around prc_filecheck*
 
 soon - MAY:
 - https://bugzilla.novell.com/show_bug.cgi?id=246829 - fetchmail lost some mail
diff --git a/rcfile_y.y b/rcfile_y.y
index 266f480d..300fcc7f 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -404,7 +404,7 @@ int prc_filecheck(const char *pathname,
        process, it must have permissions no greater than 600, and it must not 
        be a symbolic link.  We check these conditions here. */
 
-    if (lstat(pathname, &statbuf) < 0) {
+    if (stat(pathname, &statbuf) < 0) {
 	if (errno == ENOENT) 
 	    return(PS_SUCCESS);
 	else {
-- 
cgit v1.2.3