Skip to content
Browse files

DP: Fix insecure /tmp handling (#255768, #324913)

Martin Michlmayr <tbm@cyrius.com>
Peter Samuelson <peter@p12n.org>
  • Loading branch information...
1 parent e88d6d8 commit 1167917dcea44b501badc929b4ec0bca4bdf48b8 @holizz committed
Showing with 26 additions and 13 deletions.
  1. +1 −1 README
  2. +16 −3 cplay
  3. +9 −9 lircrc
View
2 README
@@ -55,5 +55,5 @@ Miscellaneous:
It is also possible to pipe a playlist to cplay, as stdin
will be reopened on startup unless it is attached to a tty.
- Remote control via /var/tmp/cplay_control; see lircrc.
+ Remote control via /tmp/cplay-control-$USER; see lircrc.
View
19 cplay
@@ -63,7 +63,7 @@ except:
# ------------------------------------------
XTERM = re.search("rxvt|xterm", os.environ["TERM"])
-CONTROL_FIFO = "/var/tmp/cplay_control"
+CONTROL_FIFO = "%s/cplay-control-%s" % (os.environ.get("TMPDIR", "/tmp"), os.environ["USER"])
# ------------------------------------------
def which(program):
@@ -1346,8 +1346,6 @@ class Timeout:
# ------------------------------------------
class FIFOControl:
def __init__(self):
- try: self.fd = open(CONTROL_FIFO, "rb+", 0)
- except: self.fd = None
self.commands = {
"pause" : [app.toggle_pause, []],
"next" : [app.next_song, []],
@@ -1362,6 +1360,16 @@ class FIFOControl:
"empty" : [app.win_playlist.command_delete_all, []],
"quit" : [app.quit, []]
}
+ self.fd = None
+ try:
+ if os.path.exists(CONTROL_FIFO):
+ os.unlink(CONTROL_FIFO)
+ os.mkfifo(CONTROL_FIFO, 0600)
+ self.fd = open(CONTROL_FIFO, "rb+", 0)
+ except IOError:
+ # warn that we're disabling the fifo because someone raced us?
+ return
+
def handle_command(self):
argv = self.fd.readline().strip().split(" ", 1)
@@ -1446,6 +1454,11 @@ class Application:
XTERM and sys.stderr.write("\033]0;%s\a" % "xterm")
tty and tty.tcsetattr(sys.stdin.fileno(), tty.TCSADRAIN, self.tcattr)
print
+ # remove temporary files
+ try:
+ if os.path.exists(CONTROL_FIFO): os.unlink(CONTROL_FIFO)
+ except IOError:
+ pass
def run(self):
while 1:
View
18 lircrc
@@ -3,7 +3,7 @@ begin
button = SKIP_FORWARD_DOWN
prog = irexec
repeat = 0
- config = echo "next" > /var/tmp/cplay_control
+ config = echo "next" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -11,7 +11,7 @@ begin
button = SKIP_BACKWARD_DOWN
prog = irexec
repeat = 0
- config = echo "prev" > /var/tmp/cplay_control
+ config = echo "prev" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -19,7 +19,7 @@ begin
button = REWIND_DOWN
prog = irexec
repeat = 1
- config = echo "backward" > /var/tmp/cplay_control
+ config = echo "backward" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -27,7 +27,7 @@ begin
button = FORWARD_DOWN
prog = irexec
repeat = 1
- config = echo "forward" > /var/tmp/cplay_control
+ config = echo "forward" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -35,7 +35,7 @@ begin
button = PLAY_DOWN
prog = irexec
repeat = 0
- config = echo "play" > /var/tmp/cplay_control
+ config = echo "play" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -43,7 +43,7 @@ begin
button = STOP_DOWN
prog = irexec
repeat = 0
- config = echo "stop" > /var/tmp/cplay_control
+ config = echo "stop" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -51,7 +51,7 @@ begin
button = VOLUME_UP_DOWN
prog = irexec
repeat = 1
- config = echo "volup" > /var/tmp/cplay_control
+ config = echo "volup" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -59,7 +59,7 @@ begin
button = VOLUME_DOWN_DOWN
prog = irexec
repeat = 1
- config = echo "voldown" > /var/tmp/cplay_control
+ config = echo "voldown" > ${TMPDIR-/tmp}/cplay-control-$USER
end
begin
@@ -67,5 +67,5 @@ begin
button = POWER_DOWN
prog = irexec
repeat = 0
- config = echo "quit" > /var/tmp/cplay_control
+ config = echo "quit" > ${TMPDIR-/tmp}/cplay-control-$USER
end

0 comments on commit 1167917

Please sign in to comment.
Something went wrong with that request. Please try again.