[DRE-maint] Is Ruby's Tempfile secure?
Charles Plessy
plessy at debian.org
Mon Sep 1 13:17:46 UTC 2008
Greetings, Ruby adepts !
In the course of solving a security bug in a Ruby script, we came to wonder if
the "Tempfile" class is secure or not. Can we have your opinion?
Le Mon, Sep 01, 2008 at 02:53:27PM +0200, Thijs Kinkhorst a écrit :
> On Mon, September 1, 2008 14:44, Charles Plessy wrote:
> > for your information, Upstream solved the problem using the Tempfile
> > class, with calls like this:
> >
> > temp_vf = Tempfile.new("_vf").path
> >
> > I suppose it is as good as stemp?
>
> I'm afraid the Tempfile class doesn't look secure to me:
> "Creates a temporary file of mode 0600 in the temporary directory whose
> name is basename.pid.n"
>
> Also the first sentence of the Ruby-stemp website reads:
> "Pure Ruby tempfile implementations appear to suffer from well-known race
> conditions."
> http://ruby-stemp.rubyforge.org/
Hmmm... it is not because they bash their competitor that they are right ;)
Look at the ruby interpretor:
aqwa『~』$ irb
irb(main):001:0> require 'tempfile'
=> true
irb(main):003:0> Tempfile.new("toto")
=> #<File:/tmp/toto20080901-14896-1wek483-0>
irb(main):004:0> Tempfile.new("toto")
=> #<File:/tmp/toto20080901-14896-1tbp21f-0>
irb(main):005:0>
[1]+ Stopped irb
aqwa『~』$ ps aux | grep irb
charles 14896 0.0 0.2 29728 6132 pts/2 T 22:04 0:00 irb
The ".n" in basename.pid.n seems to be doing the right job.
For the race condition, I really do not know. I think that the upstream author
is quite busy and was kind enough to help me to get a working patch quickly
(the one I submitted to you for review did not work in the end). Unless our
Ruby experts confirm that Tempfile should not be used, I would not like to ask
him to revise his patch.
Have a nice day,
--
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan
More information about the Pkg-ruby-extras-maintainers
mailing list