commit d7cada912ae751364577affaf215279bb0277122
from: Markus Uhlin <markus@nifty-networks.net>
date: Sun Aug  3 08:49:58 2025 UTC

create_news_file: restricted file permissions (upon creation)

commit - 3b92b4c38e62976d3299c99ca9b91f85bafe2df7
commit + d7cada912ae751364577affaf215279bb0277122
blob - b6469338e78e8b750eecda616bdce1ed848a7765
blob + 2478cabe77032e16271ce9c08dd85232ecfa5c47
--- FICS/adminproc.c
+++ FICS/adminproc.c
@@ -175,6 +175,7 @@ create_news_file(int p, param_list param, int admin)
 {
 	FILE	*fp;
 	char	 filename[MAX_FILENAME_SIZE] = { '\0' };
+	int	 fd;
 
 	ASSERT(parray[p].adminLevel >= ADMIN_ADMIN);
 
@@ -187,10 +188,14 @@ create_news_file(int p, param_list param, int admin)
 			msnprintf(filename, sizeof filename, "%s/adminnews.%d",
 			    news_dir,
 			    param[0].val.integer);
-			if ((fp = fopen(filename, "w")) != NULL) {
+			fd = open(filename, O_WRONLY|O_CREAT, S_IWUSR|S_IRUSR);
+			if (fd < 0)
+				return COM_FAILED;
+			else if ((fp = fdopen(fd, "w")) != NULL) {
 				fprintf(fp, "%s\n", param[1].val.string);
 				fclose(fp);
-			}
+			} else
+				close(fd);
 		}
 	} else {
 		if (param[0].val.integer > num_news) {
@@ -200,10 +205,14 @@ create_news_file(int p, param_list param, int admin)
 			msnprintf(filename, sizeof filename, "%s/news.%d",
 			    news_dir,
 			    param[0].val.integer);
-			if ((fp = fopen(filename, "w")) != NULL) {
+			fd = open(filename, O_WRONLY|O_CREAT, S_IWUSR|S_IRUSR);
+			if (fd < 0)
+				return COM_FAILED;
+			else if ((fp = fdopen(fd, "w")) != NULL) {
 				fprintf(fp, "%s\n", param[1].val.string);
 				fclose(fp);
-			}
+			} else
+				close(fd);
 		}
 	}