* lib/fileutils.rb (remove_entry_secure): does not use chdir(2).

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@9214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2005-09-18 20:33:01 +00:00 · 2005-09-18 20:33:01 +00:00 · 14d206dbb5
commit 14d206dbb5
parent af8d063aca
2 changed files with 36 additions and 25 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+Mon Sep 19 05:32:41 2005  Minero Aoki  <aamine@loveruby.net>
+
+	* lib/fileutils.rb (remove_entry_secure): does not use chdir(2).
+
 Mon Sep 19 03:17:48 2005  Tanaka Akira  <akr@m17n.org>

        * file.c (rb_thread_flock): wrap the flock system call by
--- a/lib/fileutils.rb
+++ b/lib/fileutils.rb
@ -623,9 +623,6 @@ module FileUtils
  # user (root) should invoke this method.  Otherwise this method does not
  # work.
  #
-  # WARNING: remove_entry_secure uses chdir(2), this method is not
-  # multi-thread safe, nor reentrant.
-  #
  # For details of this security vulnerability, see Perl's case:
  #
  #   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
@ -634,40 +631,41 @@ module FileUtils
  # For fileutils.rb, this vulnerability is reported in [ruby-dev:26100].
  #
  def remove_entry_secure(path, force = false)
-    fullpath = File.expand_path(path)
-    st = File.stat(File.dirname(fullpath))
-    unless st.world_writable?
+    unless fu_have_symlink?
      remove_entry path, force
      return
    end
-    unless st.sticky?
-      raise ArgumentError, "parent directory is insecure: #{path}"
+    fullpath = File.expand_path(path)
+    st = File.lstat(fullpath)
+    unless st.directory?
+      File.unlink fullpath
+      return
    end
+    # is a directory.
+    parent_st = File.stat(File.dirname(fullpath))
+    unless parent_st.world_writable?
+      remove_entry path, force
+      return
+    end
+    unless parent_st.sticky?
+      raise ArgumentError, "parent directory is world writable, FileUtils#remove_entry_secure does not work; abort: #{path.inspect} (parent directory mode #{'%o' % parent_st.mode})"
+    end
+    # freeze tree root
    euid = Process.euid
-    prevcwd = Dir.getwd
-    begin
-      begin
-        Dir.chdir(fullpath)
-      rescue SystemCallError
-        # seems a file
+    File.open(fullpath + '/.') {|f|
+      unless fu_stat_identical_entry?(st, f.stat)
+        # symlink (TOC-to-TOU attack?)
        File.unlink fullpath
        return
      end
-      unless fu_stat_identical_entry?(File.lstat(fullpath), File.stat('.'))
-        # seems TOC-to-TOU attack
-        File.unlink fullpath
-        return
-      end
-      File.chown euid, nil, '.'
-      File.chmod 0700, '.'
-    ensure
-      Dir.chdir prevcwd
-    end
+      f.chown euid, -1
+      f.chmod 0700
+    }
    # ---- tree root is frozen ----
    root = Entry_.new(path)
    root.preorder_traverse do |ent|
      if ent.directory?
-        ent.chown euid, nil
+        ent.chown euid, -1
        ent.chmod 0700
      end
    end
@ -682,9 +680,18 @@ module FileUtils
    raise unless force
  end

+  def fu_have_symlink?
+    File.symlink nil, nil
+  rescue NotImplementedError
+    return false
+  rescue
+    return true
+  end
+
  def fu_stat_identical_entry?(a, b)
    a.dev == b.dev and a.ino == b.ino
  end
+  private :fu_stat_identical_entry?

  #
  # This method removes a file system entry +path+.