File ruby-1.8.x_fileutils_symlink_race.patch of Package ruby
r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines
merge revision(s) 30896:
* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
race condition in the case where the given path is a directory,
and some other user can move that directory, and create a
symlink while this method is executing.
Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
Index: lib/fileutils.rb
===================================================================
--- lib/fileutils.rb.orig 2009-06-29 06:21:32.000000000 +0200
+++ lib/fileutils.rb 2011-03-03 18:13:17.026046278 +0100
@@ -657,10 +657,10 @@ module FileUtils
# removing directories. This requires the current process is the
# owner of the removing whole directory tree, or is the super user (root).
#
- # WARNING: You must ensure that *ALL* parent directories are not
- # world writable. Otherwise this method does not work.
- # Only exception is temporary directory like /tmp and /var/tmp,
- # whose permission is 1777.
+ # WARNING: You must ensure that *ALL* parent directories cannot be
+ # moved by other untrusted users. For example, parent directories
+ # should not be owned by untrusted users, and should not be world
+ # writable except when the sticky bit set.
#
# WARNING: Only the owner of the removing directory tree, or Unix super
# user (root) should invoke this method. Otherwise this method does not
@@ -703,6 +703,11 @@ module FileUtils
end
f.chown euid, -1
f.chmod 0700
+ unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+ # TOC-to-TOU attack?
+ File.unlink fullpath
+ return
+ end
}
# ---- tree root is frozen ----
root = Entry_.new(path)