Bug 708098 - Further mitigation for CVE-2012-4245 (script-fu-server)

Add an "ip" parameter as *first* argument to the
plug-in-script-fu-server procedure. This is an incompatible change
with the intent to make any old-style calls to the procedure
fail. Also reorder the GUI to have the IP in the first line.

plug-ins/script-fu/script-fu-server.c

@@ -134,13 +134,13 @@ typedef struct
 
 typedef struct
 {
+  GtkWidget *ip_entry;
   GtkWidget *port_entry;
   GtkWidget *log_entry;
-  GtkWidget *ip_entry;
 
+  gchar     *listen_ip;
   gint       port;
   gchar     *logfile;
-  gchar     *listen_ip;
 
   gboolean   run;
 } ServerInterface;
@@ -158,9 +158,9 @@ typedef union
  *  Local Functions
  */
 
-static void      server_start       (gint         port,
-                                     const gchar *logfile,
-                                     const gchar *ip);
+static void      server_start       (const gchar *listen_ip,
+                                     gint         port,
+                                     const gchar *logfile);
 static gboolean  execute_command    (SFCommand   *cmd);
 static gint      read_from_client   (gint         filedes);
 static gint      make_socket        (const struct addrinfo
@@ -196,9 +196,9 @@ static ServerInterface sint =
   NULL,  /*  log entry widget     */
   NULL,  /*  ip entry widget      */
 
+  NULL,  /*  ip to bind to        */
   10008, /*  default port number  */
   NULL,  /*  use stdout           */
-  NULL,  /*  ip to bind to        */
 
   FALSE  /*  run                  */
 };
@@ -243,7 +243,7 @@ script_fu_server_run (const gchar      *name,
           server_mode = TRUE;
 
           /*  Start the server  */
-          server_start (sint.port, sint.logfile, sint.listen_ip);
+          server_start (sint.listen_ip, sint.port, sint.logfile);
         }
       break;
 
@@ -252,9 +252,11 @@ script_fu_server_run (const gchar      *name,
       server_mode = TRUE;
 
       /*  Start the server  */
-      server_start (params[1].data.d_int32,
-                    params[2].data.d_string,
-                    nparams > 3 ? params[3].data.d_string : "127.0.0.1");
+      server_start ((params[3].data.d_string &&
+                     strlen (params[3].data.d_string)) ?
+                    params[3].data.d_string : "127.0.0.1",
+                    params[1].data.d_int32,
+                    params[2].data.d_string);
       break;
 
     case GIMP_RUN_WITH_LAST_VALS:
@@ -455,9 +457,9 @@ server_progress_uninstall (const gchar *progress)
 }
 
 static void
-server_start (gint         port,
-              const gchar *logfile,
-              const gchar *listen_ip)
+server_start (const gchar *listen_ip,
+              gint         port,
+              const gchar *logfile)
 {
   struct addrinfo *ai;
   struct addrinfo *ai_curr;
@@ -856,26 +858,26 @@ server_interface (void)
   gtk_box_pack_start (GTK_BOX (main_vbox), table, FALSE, FALSE, 0);
   gtk_widget_show (table);
 
+  /* The server ip to listen to */
+  sint.ip_entry = gtk_entry_new ();
+  gtk_entry_set_text (GTK_ENTRY (sint.ip_entry), "127.0.0.1");
+  gimp_table_attach_aligned (GTK_TABLE (table), 0, 0,
+                             _("Listen on IP:"), 0.0, 0.5,
+                             sint.ip_entry, 1, FALSE);
+
   /*  The server port  */
   sint.port_entry = gtk_entry_new ();
   gtk_entry_set_text (GTK_ENTRY (sint.port_entry), "10008");
-  gimp_table_attach_aligned (GTK_TABLE (table), 0, 0,
+  gimp_table_attach_aligned (GTK_TABLE (table), 0, 1,
                              _("Server port:"), 0.0, 0.5,
                              sint.port_entry, 1, FALSE);
 
   /*  The server logfile  */
   sint.log_entry = gtk_entry_new ();
-  gimp_table_attach_aligned (GTK_TABLE (table), 0, 1,
+  gimp_table_attach_aligned (GTK_TABLE (table), 0, 2,
                              _("Server logfile:"), 0.0, 0.5,
                              sint.log_entry, 1, FALSE);
 
-  /* The server ip to listen to */
-  sint.ip_entry = gtk_entry_new ();
-  gtk_entry_set_text (GTK_ENTRY (sint.ip_entry), "127.0.0.1");
-  gimp_table_attach_aligned (GTK_TABLE (table), 0, 2,
-                             _("Listen on IP:"), 0.0, 0.5,
-                             sint.ip_entry, 1, FALSE);
-
   /* Warning */
   hbox = gtk_box_new (GTK_ORIENTATION_HORIZONTAL, 6);
   gtk_box_pack_start (GTK_BOX (main_vbox), hbox, FALSE, FALSE, 0);

plug-ins/script-fu/script-fu.c

@@ -89,6 +89,7 @@ script_fu_query (void)
   static const GimpParamDef server_args[] =
   {
     { GIMP_PDB_INT32,  "run-mode", "The run mode { RUN-NONINTERACTIVE (1) }"  },
+    { GIMP_PDB_STRING, "ip",       "The ip on which to listen for requests"   },
     { GIMP_PDB_INT32,  "port",     "The port on which to listen for requests" },
     { GIMP_PDB_STRING, "logfile",  "The file to log server activity to"       }
   };
@@ -138,7 +139,12 @@ script_fu_query (void)
 
   gimp_install_procedure ("plug-in-script-fu-server",
                           N_("Server for remote Script-Fu operation"),
-                          "Provides a server for remote script-fu operation",
+                          "Provides a server for remote script-fu operation. "
+                          "NOTE that for security reasons this procedure's "
+                          "API was changed in an incompatible way since "
+                          "GIMP 2.8.12. You now have to pass the IP to listen "
+                          "on as first parameter. Calling this procedure with "
+                          "the old API will fail on purpose.",
                           "Spencer Kimball & Peter Mattis",
                           "Spencer Kimball & Peter Mattis",
                           "1997",