-
-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential TOCTOU Attack Surface #611
Comments
Hello @nevercodecorrect, |
that could be one way. You could also directly give permissions at creation time like below which is also the fix to that known cve
|
Thanks for your report @nevercodecorrect, I'm going to work on this issue. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
This issue was closed because it has been stalled for 5 days with no activity. |
Fix will be available soon |
@nevercodecorrect Does this seem correct to you? 31353f0 |
Yes this looks correct |
Hello,
In the code here, the
conf_path
file priviledge is changed after the creation and data writing. A malicious attacker could perform TOCTOU attack to read/write the data before the priviledge changing if he knows the timing of the program execution. This is similar to the CVE-2022-23651 that the file permission is changed a bit late. There are also other instances of the same issue in the same file.The text was updated successfully, but these errors were encountered: