Item15198: secure default location for tmp files

foswiki · Jul 11, 2023 · f77df4b · f77df4b
1 parent a9ffec1
commit f77df4b
Showing 1 changed file with 3 additions and 14 deletions.
diff --git a/core/lib/Foswiki.pm b/core/lib/Foswiki.pm
@@ -46,7 +46,6 @@ use warnings;
 use Assert;
 use Cwd qw( abs_path );
 use Error qw( :try );
-use File::Spec               ();
 use Monitor                  ();
 use CGI                      ();  # Always required to get html generation tags;
 use Digest::MD5              ();  # For passthru and validation
@@ -1828,19 +1827,9 @@ sub new {
    # Foswiki's behavior.
     $defaultUser = 'admin' if ( $Foswiki::cfg{isBOOTSTRAPPING} );
 
-    unless ( $Foswiki::cfg{TempfileDir} ) {
-
-        # Give it a sane default.
-        if ( $^O eq 'MSWin32' ) {
-
-            # Windows default tmpdir is the C: root  use something sane.
-            # Configure does a better job,  it should be run.
-            $Foswiki::cfg{TempfileDir} = $Foswiki::cfg{WorkingDir};
-        }
-        else {
-            $Foswiki::cfg{TempfileDir} = File::Spec->tmpdir();
-        }
-    }
+    # Give it a sane default owned by the current user (see CVE-2011-4116)
+    $Foswiki::cfg{TempfileDir} = $Foswiki::cfg{WorkingDir} . '/tmp'
+      unless $Foswiki::cfg{TempfileDir};
 
     # Cover all the possibilities
     $ENV{TMPDIR} = $Foswiki::cfg{TempfileDir};