@@ -1,3 +1,10 @@

+Fri Apr 29 00:42:45 CEST 2005 (tk)

+----------------------------------

+  * shared/misc.c: (Mac OS X only) execute ditto with execl to eliminate

+		   potential security problem on multi-user OS X versions

+		   (reported by Tim Morgan <tim*sentinelchicken.org> and

+		   Kevin Amorin <kamorin*ccs.neu.edu>)

+

 Thu Apr 28 15:50:01 BST 2005 (njh)

 ----------------------------------

   * libclamav/mbox.c:	Work around to handle long lines transmitted by

@@ -107,17 +107,22 @@ int filecopy(const char *src, const char *dest)

 {

 #ifdef C_DARWIN

-    /* On Mac OS X use ditto and copy resource fork, too. */

-    char *ditto = (char *) mcalloc(strlen(src) + strlen(dest) + 30, sizeof(char));

-    sprintf(ditto, "/usr/bin/ditto --rsrc %s %s", src, dest);

+	pid_t pid;

-    if(system(ditto)) {

-	free(ditto);

-	return -1;

+    /* On Mac OS X use ditto and copy resource fork, too. */

+    switch(pid = fork()) {

+	case -1:

+	    return -1;

+	case 0:

+	    execl("/usr/bin/ditto", "ditto", "--rsrc", src, dest, NULL);

+	    perror("execv(ditto)");

+	    break;

+	default:

+	    wait(NULL);

+	    return 0;

     }

-    free(ditto);

-    return 0;

+    return -1;

 #else

 	char buffer[FILEBUFF];