Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix JRUBY-5524: FileUtils is vulnerable to symlink race attacks

This patch is imported from upstream temporarily. Here's a commit log of
CRuby's fix.

 * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
   race condition in the case where the given path is a directory,
   and some other user can move that directory, and create a
   symlink while this method is executing.
   Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
  • Loading branch information...
commit 4b564ddf93ed21ef36d7c26158bd50d646c4bf69 1 parent e56e8bc
Hiroshi Nakamura nahi authored

Showing 1 changed file with 9 additions and 4 deletions. Show diff stats Hide diff stats

  1. +9 4 lib/ruby/1.8/fileutils.rb
13 lib/ruby/1.8/fileutils.rb
@@ -657,10 +657,10 @@ def rm_rf(list, options = {})
657 657 # removing directories. This requires the current process is the
658 658 # owner of the removing whole directory tree, or is the super user (root).
659 659 #
660   - # WARNING: You must ensure that *ALL* parent directories are not
661   - # world writable. Otherwise this method does not work.
662   - # Only exception is temporary directory like /tmp and /var/tmp,
663   - # whose permission is 1777.
  660 + # WARNING: You must ensure that *ALL* parent directories cannot be
  661 + # moved by other untrusted users. For example, parent directories
  662 + # should not be owned by untrusted users, and should not be world
  663 + # writable except when the sticky bit set.
664 664 #
665 665 # WARNING: Only the owner of the removing directory tree, or Unix super
666 666 # user (root) should invoke this method. Otherwise this method does not
@@ -703,6 +703,11 @@ def remove_entry_secure(path, force = false)
703 703 end
704 704 f.chown euid, -1
705 705 f.chmod 0700
  706 + unless fu_stat_identical_entry?(st, File.lstat(fullpath))
  707 + # TOC-to-TOU attack?
  708 + File.unlink fullpath
  709 + return
  710 + end
706 711 }
707 712 # ---- tree root is frozen ----
708 713 root = Entry_.new(path)

0 comments on commit 4b564dd

Please sign in to comment.
Something went wrong with that request. Please try again.