From 52ed099fe6770df16cfe16d86283e50921c8c123 Mon Sep 17 00:00:00 2001
From: Justine Tunney <jtunney@gmail.com>
Date: Fri, 17 Jun 2022 07:51:26 -0700
Subject: [PATCH] Favor $HOME directory over /tmp

This should strike a better compromise that keeps people happy about the
security of APE when it extracts the loader. This way systems with users
who aren't trusted (e.g. CPanel) won't be at any risk of compromise when
there isn't an `ape` loader on the system `$PATH`.

This change also bumps redbean up to 2.0.3
---
 ape/ape.S          | 20 +++++---------------
 tool/net/redbean.c |  2 +-
 2 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/ape/ape.S b/ape/ape.S
index 024eed8ee..66bb1b030 100644
--- a/ape/ape.S
+++ b/ape/ape.S
@@ -551,7 +551,7 @@ apesh:	.ascii	"'\n#'\"\n"			# sixth edition shebang
 //	extract the loader into a temp folder, and use it to
 //	load the APE without modifying it.
 	.ascii	"[ x\"$1\" != x--assimilate ] && {\n"
-	.ascii	  "t=\"${TMPDIR:-/tmp}/ape\"\n"
+	.ascii	  "t=\"${TMPDIR:-${HOME:-.}}/.ape\"\n"
 	.ascii	  "[ -x \"$t\" ] || {\n"
 	.ascii	    "mkdir -p \"${t%/*}\" &&\n"
 	.ascii	    "dd if=\"$o\" of=\"$t.$$\" skip=\""
@@ -580,20 +580,10 @@ apesh:	.ascii	"'\n#'\"\n"			# sixth edition shebang
 //	We prefer this because it's a tiny constant one time cost.
 //	We simply printf a 64-byte header and call execve() again.
 #else
-//	The alternative behavior is to copy to $TMPDIR and edit.
-//	This imposes a variety of caveats of its own that should
-//	be considered by the user beforehand, such as whether or
-//	not /tmp is considered trustworthy on a given system, or
-//	if the administrator chose to mount it with noexec. It's
-//	up to the user to decide what's best in those situations
-//	and also note that argv[0] and getauxval(AT_EXECFN) will
-//	change as a result of this, and lastly note we don't try
-//	to cleanup the tmp copies for the sake of efficiency. It
-//	should also be noted that if $0 has directory components
-//	then permission clashes can happen between system users,
-//	since only root is able to set the sticky bit, which can
-//	be addressed simply by overriding the TMPDIR environment
-	.ascii	"t=\"${TMPDIR:-/tmp}/$0\"\n"
+//	The alternative behavior is to copy to $TMPDIR or $HOME or
+//	the current directory. We like TMPDIR because it's part of
+//	the IEEE POSIX standard whereas alternatives (XDG) aren't.
+	.ascii	"t=\"${TMPDIR:-${HOME:-.}}/$0\"\n"
 	.ascii	"[ x\"$1\" != x--assimilate ] || [ ! -e \"$t\" ] && {\n"
 	.ascii	  "[ x\"$1\" != x--assimilate ] && {\n"
 	.ascii	    "mkdir -p \"${t%/*}\" 2>/dev/null\n"
diff --git a/tool/net/redbean.c b/tool/net/redbean.c
index 4df1cf308..a39bdf153 100644
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@@ -138,7 +138,7 @@ STATIC_YOINK("zip_uri_support");
 #define REDBEAN "redbean"
 #endif
 
-#define VERSION          0x020002
+#define VERSION          0x020003
 #define HEARTBEAT        5000 /*ms*/
 #define HASH_LOAD_FACTOR /* 1. / */ 4
 #define MONITOR_MICROS   150000