===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.51
retrieving revision 1.52
diff -c -r1.51 -r1.52
*** src/usr.bin/signify/signify.c	2014/03/16 17:58:28	1.51
--- src/usr.bin/signify/signify.c	2014/03/16 18:03:19	1.52
***************
*** 1,4 ****
! /* $OpenBSD: signify.c,v 1.51 2014/03/16 17:58:28 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
--- 1,4 ----
! /* $OpenBSD: signify.c,v 1.52 2014/03/16 18:03:19 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
***************
*** 461,469 ****
  		readb64file(sigfile, &sig, sizeof(sig), comment);
  	}
  	if (!pubkeyfile) {
! 		if ((pubkeyfile = strstr(comment, VERIFYWITH)))
  			pubkeyfile += strlen(VERIFYWITH);
! 		else
  			usage("need pubkey");
  	}
  	readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
--- 461,472 ----
  		readb64file(sigfile, &sig, sizeof(sig), comment);
  	}
  	if (!pubkeyfile) {
! 		if ((pubkeyfile = strstr(comment, VERIFYWITH))) {
  			pubkeyfile += strlen(VERIFYWITH);
! 			if (strstr(pubkeyfile, "/etc/signify") == NULL ||
! 			    strstr(pubkeyfile, "..") != NULL)
! 				errx(1, "untrusted path %s", pubkeyfile);
! 		} else
  			usage("need pubkey");
  	}
  	readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);