From 55986120aa2cc8ab0809db8ca1f8116491c1fb14 Mon Sep 17 00:00:00 2001 From: David Adam Date: Sun, 20 Apr 2014 23:51:20 +0800 Subject: [PATCH] use mktemp(1) to generate temporary file names Fix for CVE-2014-2906. Closes a race condition in funced which would allow execution of arbitrary code; closes a race condition in psub which would allow alternation of the data stream. Note that `psub -f` does not work (#1040); a fix should be committed separately for ease of maintenance. --- share/functions/funced.fish | 6 +----- share/functions/psub.fish | 11 +++-------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/share/functions/funced.fish b/share/functions/funced.fish index acee5c1a9..3ab35fc92 100644 --- a/share/functions/funced.fish +++ b/share/functions/funced.fish @@ -81,11 +81,7 @@ function funced --description 'Edit function definition' return 0 end - set -q TMPDIR; or set -l TMPDIR /tmp - set -l tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random)) - while test -f $tmpname - set tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random)) - end + set tmpname (mktemp -t fish_funced.XXXXXXXXXX) if functions -q -- $funcname functions -- $funcname > $tmpname diff --git a/share/functions/psub.fish b/share/functions/psub.fish index 42e34c731..7877aa4ec 100644 --- a/share/functions/psub.fish +++ b/share/functions/psub.fish @@ -45,21 +45,16 @@ function psub --description "Read from stdin into a file and output the filename return end - # Find unique file name for writing output to - while true - set filename /tmp/.psub.(echo %self).(random); - if not test -e $filename - break; - end - end - if test use_fifo = 1 # Write output to pipe. This needs to be done in the background so # that the command substitution exits without needing to wait for # all the commands to exit + set dir (mktemp -d /tmp/.psub.XXXXXXXXXX); or return + set filename $dir/psub.fifo mkfifo $filename cat >$filename & else + set filename (mktemp /tmp/.psub.XXXXXXXXXX) cat >$filename end