CVE-2017-15111 unsafe /tmp log file in --log-file option in keycloak_…

…cli.py keycloak_cli.py is essentially a set of utilities used by the keycloak-httpd-client-install tool. It can be invoked on it's own, mostly for testing or to execute just one part of the Keycloak REST API. It's log file defaulted to /tmp/{prog_name}.log where prog_name is the name of the program that invoked it. That default was changed to {prog_name}.log so the log file is created in the current directory instead of under /tmp. Use of the /var/log directory was avoided because that requires root privileges.
jdennis · Jan 9, 2018 · 07f26e2 · 07f26e2
1 parent c3121b2
commit 07f26e2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/keycloak_httpd_client/keycloak_cli.py b/keycloak_httpd_client/keycloak_cli.py
@@ -863,7 +863,7 @@ def main():
                              'error message')
 
     parser.add_argument('--log-file',
-                        default='/tmp/{prog_name}.log'.format(
+                        default='{prog_name}.log'.format(
                             prog_name=prog_name),
                         help='log file pathname')