Restore package and package alist in handlers.

When setting up a handler frame, we note down the current
package alist and package in the frame. Then when invoking the
handler, we rebind the *package* and *package-alist* special
variables.

This is a needed security measure for sandboxing.  Since
handlers do not unwind (and therefore do not restore special
variables) a handler in sandboxed code could catch an
exception from non-sandboxed code that has changed *package*
or *package-alist*, and take advantage of those changed
values to escape from the sandbox.

* unwind.c (uw_push_handler): Store current package and
package-alist into new fields in the handler frame.
(invoke_handler): Set up a new dynamic environment and
bind *package* and *package-alist* around the handler
call, to the values noted in the frame. Thus the handler
executes with whatever package context was current when
the handler was established.

* unwind.h (struct uw_handler): New members, package and
package_alist.

* txr.1: Add paragraph to Exception Handling about this
issue.

1 files changed, 10 insertions, 0 deletions

diff --git a/unwind.c b/unwind.c
index dc883396..4d96b875 100644
--- a/unwind.c
+++ b/unwind.c
@@ -502,6 +502,8 @@ void uw_push_handler(uw_frame_t *fr, val matches, val fun)
   fr->ha.fun = fun;
   fr->ha.visible = 1;
   fr->ha.up = uw_stack;
+  fr->ha.package = cur_package;
+  fr->ha.package_alist = deref(cur_package_alist_loc);
   uw_stack = fr;
 }
 
@@ -519,14 +521,22 @@ val uw_exception_subtype_p(val sub, val sup)
 
 static void invoke_handler(uw_frame_t *fr, struct args *args)
 {
+  val saved_dyn_env = dyn_env;
+
   fr->ha.visible = 0;
 
   uw_simple_catch_begin;
 
+  dyn_env = make_env(nil, nil, dyn_env);
+
+  env_vbind(dyn_env, package_s, fr->ha.package);
+  env_vbind(dyn_env, package_alist_s, fr->ha.package_alist);
+
   generic_funcall(fr->ha.fun, args);
 
   uw_unwind {
     fr->ha.visible = 1;
+    dyn_env = saved_dyn_env;
   }
 
   uw_catch_end;