use mktemp(1) to generate temporary file names

Fix for CVE-2014-2906.

Closes a race condition in funced which would allow execution of
arbitrary code; closes a race condition in psub which would allow
alternation of the data stream.

Note that `psub -f` does not work (#1040); a fix should be committed
separately for ease of maintenance.

Closes #1437
This commit is contained in:
David Adam 2014-04-20 23:51:20 +08:00
parent ba1b5e34a7
commit 55bc4168bf
2 changed files with 4 additions and 13 deletions

View File

@ -81,11 +81,7 @@ function funced --description 'Edit function definition'
return 0
end
set -q TMPDIR; or set -l TMPDIR /tmp
set -l tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
while test -f $tmpname
set tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
end
set tmpname (mktemp -t fish_funced.XXXXXXXXXX)
if functions -q -- $funcname
functions -- $funcname > $tmpname

View File

@ -45,21 +45,16 @@ function psub --description "Read from stdin into a file and output the filename
return
end
# Find unique file name for writing output to
while true
set filename /tmp/.psub.(echo %self).(random);
if not test -e $filename
break;
end
end
if test use_fifo = 1
# Write output to pipe. This needs to be done in the background so
# that the command substitution exits without needing to wait for
# all the commands to exit
set dir (mktemp -d /tmp/.psub.XXXXXXXXXX); or return
set filename $dir/psub.fifo
mkfifo $filename
cat >$filename &
else
set filename (mktemp /tmp/.psub.XXXXXXXXXX)
cat >$filename
end