From fdca654c552b3dfe82101e43b9adc10e08b434b5 Mon Sep 17 00:00:00 2001 From: naruse Date: Tue, 29 Jan 2019 09:19:52 +0000 Subject: merge revision(s) 66909: [Backport #15555] tmpdir.rb: permission of user given directory * lib/tmpdir.rb (Dir.mktmpdir): check if the permission of the parent directory only when using the default temporary directory, and no check against user given directory. the security is the user's responsibility in that case. [ruby-core:91216] [Bug #15555] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@66941 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/tmpdir.rb | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/tmpdir.rb b/lib/tmpdir.rb index 7c0ce3a7f0..87e53a83be 100644 --- a/lib/tmpdir.rb +++ b/lib/tmpdir.rb @@ -83,14 +83,20 @@ class Dir # end # def self.mktmpdir(prefix_suffix=nil, *rest) - path = Tmpname.create(prefix_suffix || "d", *rest) {|n| mkdir(n, 0700)} + base = nil + path = Tmpname.create(prefix_suffix || "d", *rest) {|path, _, _, d| + base = d + mkdir(path, 0700) + } if block_given? begin yield path ensure - stat = File.stat(File.dirname(path)) - if stat.world_writable? and !stat.sticky? - raise ArgumentError, "parent directory is world writable but not sticky" + unless base + stat = File.stat(File.dirname(path)) + if stat.world_writable? and !stat.sticky? + raise ArgumentError, "parent directory is world writable but not sticky" + end end FileUtils.remove_entry path end @@ -110,6 +116,7 @@ class Dir if $SAFE > 0 and tmpdir.tainted? tmpdir = '/tmp' else + origdir = tmpdir tmpdir ||= tmpdir() end n = nil @@ -125,7 +132,7 @@ class Dir path = "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}"\ "#{n ? %[-#{n}] : ''}#{suffix||''}" path = File.join(tmpdir, path) - yield(path, n, opts) + yield(path, n, opts, origdir) rescue Errno::EEXIST n ||= 0 n += 1 -- cgit v1.2.3