Compare commits

..

No commits in common. "rawhide" and "f22" have entirely different histories.

4 changed files with 30 additions and 163 deletions

3
.gitignore vendored
View file

@ -1 +1,2 @@
/4pane-*.tar.gz
/4pane-3.0.tar.gz
/4pane-4.0.tar.gz

View file

@ -1,36 +0,0 @@
commit d8b74e4df86fb526ee9caad284b9eb3efe528ac5
Author: dghart <dghart@users.sourceforge.net>
Date: Thu Jan 9 14:14:10 2025 +0000
When previewing an svg file, make the string name unguessable; see https://sourceforge.net/p/fourpane/bugs/22/
Previewing an svg called foo.svg was creating (briefly) in /tmp a file predictably called foo.png. This might have allowed an attacker to overwrite genuine files. Prevent this by prepending a random string to each name.
diff --git a/MyTreeCtrl.cpp b/MyTreeCtrl.cpp
index fd19465..d82cfc8 100644
--- a/MyTreeCtrl.cpp
+++ b/MyTreeCtrl.cpp
@@ -1890,15 +1890,20 @@ void PreviewPopup::DisplayImage(const wxString& fpath)
{
wxLogNull NoErrorMessages;
wxString filepath(fpath);
-wxString pngfilepath;
+wxString pngfilepath, rndstr;
wxImage image;
if (filepath.Right(4) == ".svg")
{ void* handle = wxGetApp().GetRsvgHandle();
if (!handle) return; // Presumably librsvg is not available at present
- wxFileName fn(filepath); // Create a filepath in /tmp/ to store the .png
- pngfilepath = "/tmp/" + fn.GetName() + ".png";
+ // Create a filepath in /tmp/ to store the .png
+ rndstr = ""; srand(time(NULL));
+ wxString allowedchars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+ for (size_t n=0; n < 9; ++n) // Make the string name unguessable; see https://sourceforge.net/p/fourpane/bugs/22/
+ rndstr << wxString::Format("%c", allowedchars[(char)(rand() % 52)]);
+ wxFileName fn(filepath);
+ pngfilepath = "/tmp/" + rndstr + fn.GetName() + ".png";
if (SvgToPng(filepath, pngfilepath, handle))
image = wxImage(pngfilepath);
wxRemoveFile(pngfilepath);

View file

@ -7,32 +7,20 @@
%define _docdir_fmt %{NAME}
Name: 4Pane
Version: 8.0
Release: 14%{?dist}
Version: 4.0
Release: 1%{?dist}
Summary: Multi-pane, detailed-list file manager
# Overall GPL-3.0-only
# 4Pane.appdata.xml CC0-1.0
# Accelerators.cpp and etc LGPL-2.0-or-later (wxWindows)
# sdk/bzip/LICENSE bzip2-1.0.6 (unused)
# SPDX confirmed
License: GPL-3.0-only AND LGPL-2.0-or-later AND CC0-1.0
License: GPLv3
URL: http://www.4pane.co.uk/
Source0: http://downloads.sourceforge.net/fourpane/4pane-%{version}.tar.gz
# https://sourceforge.net/p/fourpane/bugs/22/
# https://sourceforge.net/p/fourpane/git4pane/ci/d8b74e4df86fb526ee9caad284b9eb3efe528ac5/
# Make files under /tmp unpredictable
Patch0: 4Pane-d8b74e4-tmp-file-name.patch
BuildRequires: gcc-c++
BuildRequires: bzip2-devel
BuildRequires: xz-devel
BuildRequires: wxGTK-devel
BuildRequires: /usr/bin/desktop-file-install
BuildRequires: /usr/bin/appstream-util
BuildRequires: gettext
BuildRequires: wxGTK3-devel
BuildRequires: %{_bindir}/desktop-file-install
BuildRequires: %{_bindir}/appstream-util
BuildRequires: git
BuildRequires: make
%description
4Pane is a multi-pane, detailed-list file manager. It is designed
@ -46,7 +34,6 @@ tools.
%prep
%setup -q -n 4pane-%{version}
%patch -P0 -p1 -b .tmpfile
%if 0
cat > .gitignore <<EOF
@ -58,7 +45,7 @@ config.h.in
EOF
git init
git config user.email "4Pane-maintainers@fedoraproject.org"
git config user.email "4Pane-owner@fedoraproject.org"
git config user.name "4Pane owners"
git add .
git commit -m "base" -q
@ -68,7 +55,7 @@ sed -i.cflags configure \
-e '\@[ \t]\{5,\}C.*FLAGS[ \t]*=[ \t]*$@d'
%build
export WX_CONFIG_NAME=$(ls -1 %{_bindir}/wx-config-3.* | sort | tail -n 1)
export WX_CONFIG_NAME=wx-config-3.0
export EXTRA_CXXFLAGS="%{optflags}"
# --without-builtin_bzip2 means using system bzip2
@ -76,10 +63,11 @@ export EXTRA_CXXFLAGS="%{optflags}"
--disable-desktop \
--without-builtin_bzip2 || \
{ sleep 5 ; cat config.log ; sleep 10 ; exit 1; }
%make_build
make %{?_smp_mflags}
%install
%make_install
%make_install \
INSTALL="install -p"
# Some manual installation
mkdir -p %{buildroot}%{_datadir}/applications
@ -92,15 +80,26 @@ install -cpm 644 bitmaps/%{name}Icon48.png %{buildroot}%{_datadir}/icons/hicolor
mkdir -p %{buildroot}%{_mandir}/man1
install -cpm 644 4Pane.1 %{buildroot}%{_mandir}/man1/
desktop-file-validate %{buildroot}%{_datadir}/applications/%{name}.desktop
appstream-util validate-relax --nonet \
%{buildroot}%{_datadir}/appdata/%{name}.appdata.xml
%find_lang %{name}
# Once remove document and let %%doc re-install them
rm -rf %{buildroot}%{_docdir}/%{name}
%check
desktop-file-validate %{buildroot}%{_datadir}/applications/%{name}.desktop
appstream-util validate-relax --nonet \
%{buildroot}%{_datadir}/metainfo/%{name}.appdata.xml
%post
touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
%postun
if [ $1 -eq 0 ] ; then
touch --no-create %{_datadir}/icons/hicolor &>/dev/null
gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
fi
%posttrans
gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%files -f %{name}.lang
%license LICENCE
@ -112,110 +111,13 @@ appstream-util validate-relax --nonet \
%{_bindir}/%{name}
%{_mandir}/man1/%{name}.1*
%{_datadir}/metainfo/%{name}.appdata.xml
%{_datadir}/appdata/%{name}.appdata.xml
%{_datadir}/%{name}/
%{_datadir}/applications/%{name}.desktop
%{_datadir}/icons/hicolor/*/apps/%{name}*
%changelog
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jan 20 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Fri Jan 10 2025 Mamoru TASAKA <mtasaka@fedoraproject.org> - 8.0-10
- Upstream fix to make files under /tmp unpredictable
* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jan 26 2024 Mamoru TASAKA <mtasaka@fedoraproject.org> - 8.0-8
- SPDX migration
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jan 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Nov 25 2022 Mamoru TASAKA <mtasaka@fedoraproject.org> - 8.0-2
- 8.0
* Thu Aug 04 2022 Scott Talbert <swt@techie.net> - 7.0-6
- Rebuild with wxWidgets 3.2
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 8 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 7.0-1
- 7.0
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Dec 30 2010 Mamoru TASAKA <mtasaka@fedoraproject.org> - 6.0-1
- 6.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Jan 07 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 5.0-4
- Remove obsolete scriptlets
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Jul 19 2017 Mamoru TASAKA <mtasaka@fedoraproject.org> - 5.0-1
- 5.0
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Sun Jun 19 2016 Mamoru TASAKA <mtasaka@fedoraproject.org> - 4.0-2
- Patch from the upstream to fix sizing and color issue with
GTK 3.20 (bug 1345924)
* Thu Apr 07 2016 Mamoru TASAKA <mtasaka@fedoraproject.org> - 4.0-1
- 4.0
- Enable hardened build again

View file

@ -1 +1 @@
SHA512 (4pane-8.0.tar.gz) = 65c7575a08b9dad28c86a71c30c7671ebaf80cd7f89a81b94402ea3a522f0d9922221ac0f0714b851839d51cca70b8905fb109469aab254f2b574863be537fa8
7e447b92a7704c3c12dab65957099475 4pane-4.0.tar.gz