merge revision(s) 66909: [Backport #15555]

tmpdir.rb: permission of user given directory * lib/tmpdir.rb (Dir.mktmpdir): check if the permission of the parent directory only when using the default temporary directory, and no check against user given directory. the security is the user's responsibility in that case. [ruby-core:91216] [Bug #15555] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@66941 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2019-01-29 09:19:52 +00:00 · 2019-01-29 09:19:52 +00:00 · fdca654c55
commit fdca654c55
parent fbad5b97e8
3 changed files with 19 additions and 6 deletions
--- a/lib/tmpdir.rb
+++ b/lib/tmpdir.rb
@ -83,15 +83,21 @@ class Dir
  #  end
  #
  def self.mktmpdir(prefix_suffix=nil, *rest)
-    path = Tmpname.create(prefix_suffix || "d", *rest) {|n| mkdir(n, 0700)}
+    base = nil
+    path = Tmpname.create(prefix_suffix || "d", *rest) {|path, _, _, d|
+      base = d
+      mkdir(path, 0700)
+    }
    if block_given?
      begin
        yield path
      ensure
+        unless base
          stat = File.stat(File.dirname(path))
          if stat.world_writable? and !stat.sticky?
            raise ArgumentError, "parent directory is world writable but not sticky"
          end
+        end
        FileUtils.remove_entry path
      end
    else
@ -110,6 +116,7 @@ class Dir
      if $SAFE > 0 and tmpdir.tainted?
        tmpdir = '/tmp'
      else
+        origdir = tmpdir
        tmpdir ||= tmpdir()
      end
      n = nil
@ -125,7 +132,7 @@ class Dir
        path = "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}"\
               "#{n ? %[-#{n}] : ''}#{suffix||''}"
        path = File.join(tmpdir, path)
-        yield(path, n, opts)
+        yield(path, n, opts, origdir)
      rescue Errno::EEXIST
        n ||= 0
        n += 1
--- a/test/test_tmpdir.rb
+++ b/test/test_tmpdir.rb
@ -33,6 +33,12 @@ class TestTmpdir < Test::Unit::TestCase
        assert_equal(tmpdir, Dir.tmpdir)
        File.chmod(0777, tmpdir)
        assert_not_equal(tmpdir, Dir.tmpdir)
+        newdir = Dir.mktmpdir("d", tmpdir) do |dir|
+          assert_file.directory? dir
+          assert_equal(tmpdir, File.dirname(dir))
+          dir
+        end
+        assert_file.not_exist?(newdir)
        File.chmod(01777, tmpdir)
        assert_equal(tmpdir, Dir.tmpdir)
      ensure
--- a/version.h
+++ b/version.h
@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.6.1"
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 31
+#define RUBY_PATCHLEVEL 32

 #define RUBY_RELEASE_YEAR 2019
 #define RUBY_RELEASE_MONTH 1