Protect tempfile creation code against symlink race attacks

FooBarWidget · May 30, 2018 · a9062c2 · a9062c2
1 parent 00c3eb5
commit a9062c2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/daemon_controller.rb b/lib/daemon_controller.rb
@@ -646,8 +646,8 @@ def is_std_channel_chardev?(path)
   def run_command_while_capturing_output(command)
     # Create tempfile for storing the command's output.
     tempfile = Tempfile.new('daemon-output')
+    tempfile.chmod(0666)
     tempfile_path = tempfile.path
-    File.chmod(0666, tempfile_path)
     tempfile.close
 
     if self.class.fork_supported? || self.class.spawn_supported?