* Bug #15213, #18635: The use of the insecure m_scratch() and

[mmh] / uip / forw.c

diff --git a/uip/forw.c b/uip/forw.c
index 93870b1..7892d7f 100644 (file)
--- a/uip/forw.c
+++ b/uip/forw.c
@@ -285,7 +285,7 @@ main (int argc, char **argv)
            if (folder)
                adios (NULL, "only one folder at a time!");
            else
-               folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
+               folder = pluspath (cp);
        } else {
            msgs[msgp++] = cp;
        }
@@ -444,7 +444,8 @@ try_it_again:
        done (0);
     what_now (ed, nedit, NOUSE, drft, NULL, 0, mp,
        anot ? "Forwarded" : NULL, inplace, cwd);
-    return done (1);
+    done (1);
+    return 1;
 }
 
 
@@ -508,7 +509,7 @@ mhl_draft (int out, char *digest, int volume, int issue,
 
            if (mp->numsel >= MAXARGS - i)
                adios (NULL, "more than %d messages for %s exec",
-                       vec[0], MAXARGS - i);
+                       MAXARGS - i, vec[0]);
 
            /*
             * Now add the message names to filter.  We can only
@@ -649,10 +650,11 @@ build_form (char *form, char *digest, int volume, int issue)
     int fmtsize;
     register char *nfs;
     char *line, tmpfil[BUFSIZ];
-    register FILE *tmp;
+    FILE *tmp;
     register struct comp *cptr;
     struct format *fmt;
     int dat[5];
+    char *cp = NULL;
 
     /* Get new format string */
     nfs = new_fs (form, NULL, NULL);
@@ -674,9 +676,9 @@ build_form (char *form, char *digest, int volume, int issue)
     dat[3] = fmtsize;
     dat[4] = 0;
 
-    strncpy (tmpfil, m_tmpfil (invo_name), sizeof(tmpfil));
-    if ((tmp = fopen (tmpfil, "w+")) == NULL)
-       adios (tmpfil, "unable to create");
+    cp = m_mktemp2(NULL, invo_name, NULL, &tmp);
+    if (cp == NULL) adios("forw", "unable to create temporary file");
+    strncpy (tmpfil, cp, sizeof(tmpfil));
     unlink (tmpfil);
     if ((in = dup (fileno (tmp))) == NOTOK)
        adios ("dup", "unable to");