kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

* lib/fileutils.rb (rm_r): does chown(2). [ruby-dev:26199]

Browse source 
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@8520 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
aamine 2005-05-25 10:50:14 +00:00
parent 71a80abc7c
commit ac5925d2ab
2 changed files with 35 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ChangeLog
View file

@ -1,3 +1,7 @@
Wed May 25 19:48:12 2005 Minero Aoki <aamine@loveruby.net>
* lib/fileutils.rb (rm_r): does chown(2). [ruby-dev:26199]
Wed May 25 12:59:48 2005 Tanaka Akira <akr@m17n.org> Wed May 25 12:59:48 2005 Tanaka Akira <akr@m17n.org>
* lib/open-uri.rb (OpenURI::Meta::RE_QUOTED_STRING): a content of * lib/open-uri.rb (OpenURI::Meta::RE_QUOTED_STRING): a content of

39
lib/fileutils.rb
View file

@ -682,8 +682,25 @@ module FileUtils
# FileUtils.rm_r '/', :force => true # :-) # FileUtils.rm_r '/', :force => true # :-)
# #
# When :secure options is set, this method chmod(700) all directories # When :secure options is set, this method chmod(700) all directories
# under +list+[n] at first. This option is required to avoid # under +list+[n] at first. This option is required to avoid TOCTTOU
# time-to-check-to-time-to-use security problem. Default is :secure=>true. # (time-of-check-to-time-of-use) security vulnarability.
# Default is :secure=>true.
#
# WARNING: You must ensure that *ALL* parent directories are not
# world writable. Otherwise this option does not work.
#
# WARNING: Only the owner of the removing directory tree, or
# super user (root) should invoke this method. Otherwise this
# option does not work.
#
# WARNING: Currently, this option does NOT affect Win32 systems.
#
# For details of this security vulnerability, see Perl's case:
#
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
#
# For fileutils.rb, this vulnarability is reported in [ruby-dev:26100].
# #
def rm_r(list, options = {}) def rm_r(list, options = {})
fu_check_options options, :force, :noop, :verbose, :secure fu_check_options options, :force, :noop, :verbose, :secure
@ -702,10 +719,7 @@ module FileUtils
if st.symlink? if st.symlink?
remove_file path, options[:force] remove_file path, options[:force]
elsif st.directory? elsif st.directory?
begin fu_fix_permission path if options[:secure]
fu_clear_permission path if options[:secure]
rescue
end
remove_dir path, options[:force] remove_dir path, options[:force]
else else
remove_file path, options[:force] remove_file path, options[:force]
@ -715,17 +729,23 @@ module FileUtils
OPT_TABLE['rm_r'] = %w( noop verbose force ) OPT_TABLE['rm_r'] = %w( noop verbose force )
def fu_clear_permission(prefix) # Ensure directories are not world writable.
def fu_fix_permission(prefix) #:nodoc:
fu_find([prefix]) do |path, lstat| fu_find([prefix]) do |path, lstat|
if lstat.directory? if lstat.directory?
begin
File.chown Process.euid, nil, path
rescue Errno::EPERM
end
begin begin
File.chmod 0700, path File.chmod 0700, path
rescue Errno::EPERM rescue Errno::EPERM
end end
end end
end end
rescue
end end
private :fu_clear_permission private :fu_fix_permission
# #
# Options: noop verbose secure # Options: noop verbose secure
@ -733,6 +753,9 @@ module FileUtils
# Same as # Same as
# #rm_r(list, :force => true) # #rm_r(list, :force => true)
# #
# WARNING: This method may cause serious security problem.
# Read the documentation of #rm_r first.
#
def rm_rf(list, options = {}) def rm_rf(list, options = {})
fu_check_options options, :noop, :verbose, :secure fu_check_options options, :noop, :verbose, :secure
options = options.dup options = options.dup