unsecure file creation

Roberto Raggi roberto at kdevelop.org
Thu Jun 19 19:21:02 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 19 June 2003 16:14, Dirk Mueller wrote:
> Hi,
>
> commit 1.3 to kdevelop/lib/cppparser/driver.cpp introduced this code:
>
> +    if( m_generatePreprocessedOutput ){
> +        QDir::home().mkdir( "/tmp/i" );
> +        QFile f( QString::fromLatin1("/tmp/i/") + fileInfo.baseName() +
> ".i" );
> +        f.open( IO_WriteOnly );
> +        QTextStream out( &f );
> +
>
>
> This code creates files in a possibly world writeable directory in an
> unsecure manner (It does not check if /tmp/i does not exist already and it
> does not check that the permissions are 0700). It is therefore vulnerable
> to a symlink attack.
>
> For ways to securely create files, have a look at KSaveFile, which is a
> class in kdecore.
>
> Please fix it ASAP, thanks.
ops!! fixed in cvs

thank for your hint dirk :) 

ciao robe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+8fDFFprNbhKbO+8RAozUAKCP2YY7WoAJJIKdTbC7xaJOpBKlvgCePVTd
lEJCAL+Xs+lQyTpWRFQvVjo=
=cGng
-----END PGP SIGNATURE-----




More information about the KDevelop-devel mailing list