File ruby-1.8.x_fileutils_symlink_race.patch of Package ruby

r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines

merge revision(s) 30896:
  * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
    race condition in the case where the given path is a directory,
    and some other user can move that directory, and create a
    symlink while this method is executing.
    Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>

Index: lib/fileutils.rb
===================================================================
--- lib/fileutils.rb.orig	2009-06-29 06:21:32.000000000 +0200
+++ lib/fileutils.rb	2011-03-03 18:13:17.026046278 +0100
@@ -657,10 +657,10 @@ module FileUtils
   # removing directories.  This requires the current process is the
   # owner of the removing whole directory tree, or is the super user (root).
   #
-  # WARNING: You must ensure that *ALL* parent directories are not
-  # world writable.  Otherwise this method does not work.
-  # Only exception is temporary directory like /tmp and /var/tmp,
-  # whose permission is 1777.
+  # WARNING: You must ensure that *ALL* parent directories cannot be
+  # moved by other untrusted users.  For example, parent directories
+  # should not be owned by untrusted users, and should not be world
+  # writable except when the sticky bit set.
   #
   # WARNING: Only the owner of the removing directory tree, or Unix super
   # user (root) should invoke this method.  Otherwise this method does not
@@ -703,6 +703,11 @@ module FileUtils
       end
       f.chown euid, -1
       f.chmod 0700
+      unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+        # TOC-to-TOU attack?
+        File.unlink fullpath
+        return
+      end
     }
     # ---- tree root is frozen ----
     root = Entry_.new(path)