3158daef37
Symlink race condition in FileUtils.remove_entry_secure (bug 678913) bypass of $SAFE mechanism in Exception#to_s (bug 678920)
29 lines
1.2 KiB
Diff
29 lines
1.2 KiB
Diff
--- ruby-1.8.7-p330/lib/fileutils.rb 2010-06-08 15:31:50.000000000 +0900
|
|
+++ ruby-1.8.7-p334/lib/fileutils.rb 2011-02-18 21:18:10.000000000 +0900
|
|
@@ -658,10 +658,10 @@
|
|
# removing directories. This requires the current process is the
|
|
# owner of the removing whole directory tree, or is the super user (root).
|
|
#
|
|
- # WARNING: You must ensure that *ALL* parent directories are not
|
|
- # world writable. Otherwise this method does not work.
|
|
- # Only exception is temporary directory like /tmp and /var/tmp,
|
|
- # whose permission is 1777.
|
|
+ # WARNING: You must ensure that *ALL* parent directories cannot be
|
|
+ # moved by other untrusted users. For example, parent directories
|
|
+ # should not be owned by untrusted users, and should not be world
|
|
+ # writable except when the sticky bit set.
|
|
#
|
|
# WARNING: Only the owner of the removing directory tree, or Unix super
|
|
# user (root) should invoke this method. Otherwise this method does not
|
|
@@ -704,6 +704,11 @@
|
|
end
|
|
f.chown euid, -1
|
|
f.chmod 0700
|
|
+ unless fu_stat_identical_entry?(st, File.lstat(fullpath))
|
|
+ # TOC-to-TOU attack?
|
|
+ File.unlink fullpath
|
|
+ return
|
|
+ end
|
|
}
|
|
# ---- tree root is frozen ----
|
|
root = Entry_.new(path)
|