Use non-predictable filename for downloaded patch file

Since the /tmp directory is readable by everybody on Unix, and since the patch name could be public or easy to guess, a attacker could create a symlink to a file writable by the user running hub, which would be replaced by the patch. This has been assigned CVE-2014-0177
mislav · Apr 15, 2014 · 016ec99 · 016ec99
1 parent 8150ddb
commit 016ec99
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 5 deletions.
diff --git a/lib/hub/commands.rb b/lib/hub/commands.rb
@@ -519,7 +519,7 @@ def am(args)
           end
         end
 
-        patch_file = File.join(tmp_dir, patch_name)
+        patch_file = Tempfile.new('patch_name')
         File.open(patch_file, 'w') { |file| file.write(patch) }
         args[idx] = patch_file
       end

diff --git a/lib/hub/context.rb b/lib/hub/context.rb
@@ -556,10 +556,6 @@ def command?(name)
         !which(name).nil?
       end
 
-      def tmp_dir
-        ENV['TMPDIR'] || ENV['TEMP'] || '/tmp'
-      end
-
       def terminal_width
         if unix?
           width = %x{stty size 2>#{NULL}}.split[1].to_i