===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.53
retrieving revision 1.54
diff -c -r1.53 -r1.54
*** src/usr.bin/signify/signify.c	2014/03/16 18:09:49	1.53
--- src/usr.bin/signify/signify.c	2014/03/16 18:12:08	1.54
***************
*** 1,4 ****
! /* $OpenBSD: signify.c,v 1.53 2014/03/16 18:09:49 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
--- 1,4 ----
! /* $OpenBSD: signify.c,v 1.54 2014/03/16 18:12:08 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
***************
*** 466,473 ****
  	if (!pubkeyfile) {
  		if ((pubkeyfile = strstr(comment, VERIFYWITH))) {
  			pubkeyfile += strlen(VERIFYWITH);
! 			if (strstr(pubkeyfile, "/etc/signify") == NULL ||
! 			    strstr(pubkeyfile, "..") != NULL)
  				errx(1, "untrusted path %s", pubkeyfile);
  		} else
  			usage("need pubkey");
--- 466,473 ----
  	if (!pubkeyfile) {
  		if ((pubkeyfile = strstr(comment, VERIFYWITH))) {
  			pubkeyfile += strlen(VERIFYWITH);
! 			if (strstr(pubkeyfile, "/etc/signify/") == NULL ||
! 			    strstr(pubkeyfile, "/../") != NULL)
  				errx(1, "untrusted path %s", pubkeyfile);
  		} else
  			usage("need pubkey");