[debian-edu-commits] [Git][debian-edu/upstream/sitesummary][master] 2 commits: Fix insecure temporary file and directory creation, error checking

Mike Gabriel (@sunweaver) gitlab at salsa.debian.org
Wed Aug 23 09:42:45 BST 2023



Mike Gabriel pushed to branch master at Debian Edu / upstream / sitesummary


Commits:
ca0e1ed9 by Guido Berhoerster at 2023-08-22T18:10:36+02:00
Fix insecure temporary file and directory creation, error checking

Seurely create a temporary directory using mktemp and check for errors both
when creating the directory and wehn changing the current working directory.
Place the tarball inside the temporary directory instead of using a predictable
file name in /tmp which may lead to a symlink attack. Ensure the temporary
directory is always removed.

- - - - -
834e191b by Guido Berhoerster at 2023-08-22T18:10:36+02:00
Use quoting for fragments

- - - - -


1 changed file:

- sitesummary-client


Changes:

=====================================
sitesummary-client
=====================================
@@ -14,9 +14,12 @@ export PATH
 LC_ALL=C
 export LC_ALL
 
+umask 0077
+
 # Make sure to store files in a ramfs backed
 # storage area on diskless clients, so use /tmp/.
-tmpdir=/tmp/sitesummary-$$
+tmpdir="$(mktemp -d -p /tmp)"
+trap 'rm -rf "${tmpdir}"' EXIT
 
 log() {
     msg="$@"
@@ -54,22 +57,23 @@ for confdir in \
 do
     [ -d $confdir ] || continue
     for config in $confdir/* ; do
-	[ -f $config ] && . $config
+	[ -f "$config" ] && . "$config"
     done
 done
 
-mkdir $tmpdir && cd $tmpdir
+mkdir "${tmpdir}/output"
+cd "${tmpdir}/output"
 
 for fragdir in $fragdirs ; do
-    [ -d $fragdir ] || continue 
-    for frag in $fragdir/*; do 
-	[ -x $frag ] && $frag || true
+    [ -d "$fragdir" ] || continue 
+    for frag in "$fragdir/"*; do 
+	[ -x "$frag" ] && "$frag" || true
     done
 done
 
 # Wrap up the package
-hostsummaryfile=$tmpdir.tar.gz
-tar zcf $hostsummaryfile .
+hostsummaryfile="${tmpdir}/output.tar.gz"
+tar zcf "${hostsummaryfile}" .
 
 for url in $serverurls ; do
     if [ "$gpgencrypt" != false ] ; then
@@ -88,6 +92,3 @@ for url in $serverurls ; do
 	error "unable to submit to '$url'"
     fi
 done
-
-rm $hostsummaryfile
-rm -r $tmpdir



View it on GitLab: https://salsa.debian.org/debian-edu/upstream/sitesummary/-/compare/026fb0180bdfc20b1ded311d1ca2df2b3736783f...834e191bbf2238911582105961c5402a8adadc31

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/upstream/sitesummary/-/compare/026fb0180bdfc20b1ded311d1ca2df2b3736783f...834e191bbf2238911582105961c5402a8adadc31
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230823/d59bd7d6/attachment-0001.htm>


More information about the debian-edu-commits mailing list