2 files changed, 35 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 344408485c..44082331f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Wed May 25 19:48:12 2005  Minero Aoki  <aamine@loveruby.net>
+
+	* lib/fileutils.rb (rm_r): does chown(2). [ruby-dev:26199]
+
 Wed May 25 12:59:48 2005  Tanaka Akira  <akr@m17n.org>
 
 	* lib/open-uri.rb (OpenURI::Meta::RE_QUOTED_STRING): a content of 
diff --git a/lib/fileutils.rb b/lib/fileutils.rb
index 7c5307ff5c..18e881a9c4 100644
--- a/lib/fileutils.rb
+++ b/lib/fileutils.rb
@@ -682,8 +682,25 @@ module FileUtils
   #   FileUtils.rm_r '/', :force => true          #  :-)
   #
   # When :secure options is set, this method chmod(700) all directories
-  # under +list+[n] at first.  This option is required to avoid
-  # time-to-check-to-time-to-use security problem.  Default is :secure=>true.
+  # under +list+[n] at first.  This option is required to avoid TOCTTOU
+  # (time-of-check-to-time-of-use) security vulnarability.
+  # Default is :secure=>true.
+  #
+  # WARNING: You must ensure that *ALL* parent directories are not
+  # world writable.  Otherwise this option does not work.
+  #
+  # WARNING: Only the owner of the removing directory tree, or
+  # super user (root) should invoke this method.  Otherwise this
+  # option does not work.
+  #
+  # WARNING: Currently, this option does NOT affect Win32 systems.
+  #
+  # For details of this security vulnerability, see Perl's case:
+  #
+  #   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
+  #   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
+  #
+  # For fileutils.rb, this vulnarability is reported in [ruby-dev:26100].
   # 
   def rm_r(list, options = {})
     fu_check_options options, :force, :noop, :verbose, :secure
@@ -702,10 +719,7 @@ module FileUtils
       if st.symlink?
         remove_file path, options[:force]
       elsif st.directory?
-        begin
-          fu_clear_permission path if options[:secure]
-        rescue
-        end
+        fu_fix_permission path if options[:secure]
         remove_dir path, options[:force]
       else
         remove_file path, options[:force]
@@ -715,23 +729,32 @@ module FileUtils
 
   OPT_TABLE['rm_r'] = %w( noop verbose force )
 
-  def fu_clear_permission(prefix)
+  # Ensure directories are not world writable.
+  def fu_fix_permission(prefix)   #:nodoc:
     fu_find([prefix]) do |path, lstat|
       if lstat.directory?
         begin
+          File.chown Process.euid, nil, path
+        rescue Errno::EPERM
+        end
+        begin
           File.chmod 0700, path
         rescue Errno::EPERM
         end
       end
     end
+  rescue
   end
-  private :fu_clear_permission
+  private :fu_fix_permission
 
   #
   # Options: noop verbose secure
   # 
   # Same as 
   #   #rm_r(list, :force => true)
+  #
+  # WARNING: This method may cause serious security problem.
+  # Read the documentation of #rm_r first.
   # 
   def rm_rf(list, options = {})
     fu_check_options options, :noop, :verbose, :secure