Skip to content

Commit 016ec99

Browse files
mscherermislav
authored andcommitted
Use non-predictable filename for downloaded patch file
Since the /tmp directory is readable by everybody on Unix, and since the patch name could be public or easy to guess, a attacker could create a symlink to a file writable by the user running hub, which would be replaced by the patch. This has been assigned CVE-2014-0177
1 parent 8150ddb commit 016ec99

File tree

2 files changed

+1
-5
lines changed

2 files changed

+1
-5
lines changed

Diff for: lib/hub/commands.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,7 @@ def am(args)
519519
end
520520
end
521521

522-
patch_file = File.join(tmp_dir, patch_name)
522+
patch_file = Tempfile.new('patch_name')
523523
File.open(patch_file, 'w') { |file| file.write(patch) }
524524
args[idx] = patch_file
525525
end

Diff for: lib/hub/context.rb

-4
Original file line numberDiff line numberDiff line change
@@ -556,10 +556,6 @@ def command?(name)
556556
!which(name).nil?
557557
end
558558

559-
def tmp_dir
560-
ENV['TMPDIR'] || ENV['TEMP'] || '/tmp'
561-
end
562-
563559
def terminal_width
564560
if unix?
565561
width = %x{stty size 2>#{NULL}}.split[1].to_i

0 commit comments

Comments
 (0)