The recover script should have the same sanity checks as recover.c.

Specifically, open files with O_NONBLOCK and enforce a mode of 0600.

diff --git a/usr.bin/vi/build/recover b/usr.bin/vi/build/recover
index 0865576..963542e 100644 (file)
--- a/usr.bin/vi/build/recover
+++ b/usr.bin/vi/build/recover
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# $OpenBSD: recover,v 1.11 2016/11/05 16:21:56 afresh1 Exp $
+# $OpenBSD: recover,v 1.12 2018/02/03 15:44:36 millert Exp $
 #
 # Script to (safely) recover nvi edit sessions.
 #
@@ -60,7 +60,7 @@ rewinddir(RECDIR);
 foreach $file (readdir(RECDIR)) {
        next unless $file =~ /^recover\./;
 
-       if (!sysopen(RECFILE, $file, O_RDONLY|O_NOFOLLOW)) {
+       if (!sysopen(RECFILE, $file, O_RDONLY|O_NOFOLLOW|O_NONBLOCK)) {
            warn "$0: can't open $file: $!\n";
            next;
        }
@@ -68,12 +68,17 @@ foreach $file (readdir(RECDIR)) {
        #
        # Delete anything that is not a regular file as that is either
        # filesystem corruption from fsck or an exploit attempt.
+       # Real vi recovery files are created with mode 0600, ignore others.
        #
        if (!stat(RECFILE)) {
                warn "$0: can't stat $file: $!\n";
                close(RECFILE);
                next;
        }
+       if (((stat(_))[2] & 07777) != 0600) {
+               close(RECFILE);
+               next;
+       }
        $owner = (stat(_))[4];
        if (! -f _ || ! -s _) {
                unlink($file) unless -d _;