unsecure file creation
Roberto Raggi
roberto at kdevelop.org
Thu Jun 19 19:21:02 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 19 June 2003 16:14, Dirk Mueller wrote:
> Hi,
>
> commit 1.3 to kdevelop/lib/cppparser/driver.cpp introduced this code:
>
> + if( m_generatePreprocessedOutput ){
> + QDir::home().mkdir( "/tmp/i" );
> + QFile f( QString::fromLatin1("/tmp/i/") + fileInfo.baseName() +
> ".i" );
> + f.open( IO_WriteOnly );
> + QTextStream out( &f );
> +
>
>
> This code creates files in a possibly world writeable directory in an
> unsecure manner (It does not check if /tmp/i does not exist already and it
> does not check that the permissions are 0700). It is therefore vulnerable
> to a symlink attack.
>
> For ways to securely create files, have a look at KSaveFile, which is a
> class in kdecore.
>
> Please fix it ASAP, thanks.
ops!! fixed in cvs
thank for your hint dirk :)
ciao robe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+8fDFFprNbhKbO+8RAozUAKCP2YY7WoAJJIKdTbC7xaJOpBKlvgCePVTd
lEJCAL+Xs+lQyTpWRFQvVjo=
=cGng
-----END PGP SIGNATURE-----
More information about the KDevelop-devel
mailing list