New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use #rm_rf rather than #remove_entry_secure #474

Merged
merged 1 commit into from Nov 16, 2014

Conversation

Projects
None yet
2 participants
@ddfreyne
Member

ddfreyne commented Sep 6, 2014

On some systems, FileUtils#remove_entry_secure fails to work because
it fails the TOCTTOU vulnerability check, even for /tmp. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using FileUtils#rm_rf
instead of FileUtils#remove_entry_secure is fine.

Also see nanoc/nanoc#465

Use #rm_rf rather than #remove_entry_secure
On some systems, `FileUtils#remove_entry_secure` fails to work because
it fails the [TOCTTOU vulnerability check](1), even for `/tmp`. In the
case of nanoc, the vulnerability check has little use, since it deletes
the directories that it creates itself, so using `FileUtils#rm_rf`
instead of `FileUtils#remove_entry_secure` is fine.

Also see nanoc/nanoc#465

[1]: http://www.ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure

@ddfreyne ddfreyne referenced this pull request Nov 15, 2014

Closed

release 3.7.4 #495

@mpapis

This comment has been minimized.

Show comment
Hide comment
@mpapis

mpapis Nov 15, 2014

Member

after checkin the definition of the atack I'm 👍 on this one, no need to extra checks as we are in full control of the files here, nobody else should use them

Member

mpapis commented Nov 15, 2014

after checkin the definition of the atack I'm 👍 on this one, no need to extra checks as we are in full control of the files here, nobody else should use them

@ddfreyne ddfreyne removed the to review label Nov 16, 2014

ddfreyne added a commit that referenced this pull request Nov 16, 2014

@ddfreyne ddfreyne merged commit 5e7e316 into release-3.7.x Nov 16, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@ddfreyne ddfreyne deleted the rm-rf-instead-of-remove-entry-secure branch Nov 17, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment