* lib/tmpdir.rb (Dir.tmpdir): should not use world-writable but

non-sticky directory. * lib/tmpdir.rb (Dir.mktmpdir): check the parent directory. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34979 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2012-03-11 22:19:06 +00:00 · 2012-03-11 22:19:06 +00:00 · bcb9e567c4
commit bcb9e567c4
parent 42437780d6
3 changed files with 34 additions and 2 deletions
--- a/lib/tmpdir.rb
+++ b/lib/tmpdir.rb
@ -23,7 +23,8 @@ class Dir
      tmp = @@systmpdir
    else
      for dir in [ENV['TMPDIR'], ENV['TMP'], ENV['TEMP'], @@systmpdir, '/tmp']
-        if dir and stat = File.stat(dir) and stat.directory? and stat.writable?
+        if dir and stat = File.stat(dir) and stat.directory? and stat.writable? and
+            (!stat.world_writable? or stat.sticky?)
          tmp = dir
          break
        end rescue nil
@ -82,7 +83,11 @@ class Dir
      begin
        yield path
      ensure
-        FileUtils.remove_entry_secure path
+        stat = File.stat(File.dirname(path))
+        if stat.world_writable? and !stat.sticky?
+          raise ArgumentError, "parent directory is world writable but not sticky"
+        end
+        FileUtils.remove_entry path
      end
    else
      path