Doom: m_config.c should use the user's home directory for config and save games

[bcoles]

By default, SerenityDOOM uses the current working directory . to store and load configuration files and save game files.

config.c :

// Get the path to the default configuration dir to use, if NULL
// is passed to M_SetConfigDir.

static char *GetDefaultConfigDir(void)
{
    char *result = (char *)malloc(2);
    result[0] = '.';
    result[1] = '\0';

    return result;
}

The M_GetSaveGameDir function attempts to create a directory by concatenating configdir and "savegame/", resulting in a hidden directory called .savegame which probably wasn't intended. The intended path was probably meant to be ./savegame/.

//
// Calculate the path to the directory to use to store save games.
// Creates the directory as necessary.
//

char *M_GetSaveGameDir(char *iwadname)
{
    char *savegamedir;
#if ORIGCODE
    char *topdir;
#endif

# ...

        savegamedir = M_StringJoin(configdir, "savegame/", NULL);

        M_MakeDirectory(savegamedir);

        printf ("Using %s for savegames\n", savegamedir);

Creation of directories in the current working directory creates the possibility for symlink attacks.

Should root desire to slay some demons while browsing a directory writable by low privileged users, such as /tmp, and should a low privileged user have preemptively created the following directory structure, then /etc/passwd would be overwritten by root's saved game.

$ mkdir /tmp/.savegame
$ ln -s /etc/passwd /tmp/.savegame/temp.dsg

[bcoles]

This has been patched upstream ozkl#1