~ chicken-core (chicken-5) c6750af99ada7fa4815ee834e4e705bcfac9c137

commit c6750af99ada7fa4815ee834e4e705bcfac9c137
Author:     Florian Zumbiehl <florz@florz.de>
AuthorDate: Fri Mar 15 06:58:42 2013 +0100
Commit:     Mario Domenech Goulart <mario.goulart@gmail.com>
CommitDate: Fri Mar 15 22:13:27 2013 -0300

    csi: fix untrusted code execution by (load)ing ./.csirc
    
    Remove (load)ing of ./.csirc on csi startup as it can lead to execution of
    untrusted code.
    
    Signed-off-by: Peter Bex <peter.bex@xs4all.nl>
    Signed-off-by: Mario Domenech Goulart <mario.goulart@gmail.com>

diff --git a/NEWS b/NEWS
index 40233389..c21c7cf9 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
 4.8.2
 
+- Security fixes
+  - ./.csirc is no longer loaded from the current directory upon startup of csi,
+    which could lead to untrusted code execution. (thanks to Florian Zumbiehl)
+
 - Tools
   - csc: added "-oi"/"-ot" options as alternatives to "-emit-inline-file"
     and "-emit-type-file", respectively; "-n" has been deprecated.
diff --git a/csi.scm b/csi.scm
index b2b9f243..55a2ce84 100644
--- a/csi.scm
+++ b/csi.scm
@@ -1019,13 +1019,11 @@ EOF
 			  (cons (cadr p) (loop (cddr p)))) ) ]
 		[else '()] ) ) )
       (define (loadinit)
-	(let ([fn (##sys#string-append "./" init-file)])
-	  (if (file-exists? fn)
-	      (load fn)
-	      (let* ([prefix (chop-separator (or (get-environment-variable "HOME") "."))]
-		     [fn (string-append prefix "/" init-file)] )
-		(when (file-exists? fn) 
-		  (load fn) ) ) ) ) )
+	(and-let* ((home (get-environment-variable "HOME"))
+		   ((not (string=? home ""))))
+	  (let ((fn (string-append (chop-separator home) "/" init-file)))
+	    (when (file-exists? fn)
+		  (load fn) ) ) ) )
       (define (evalstring str #!optional (rec (lambda _ (void))))
 	(let ((in (open-input-string str)))
 	  (do ([x (read in) (read in)])