odaysec opened a new pull request, #12276: URL: https://github.com/apache/trafficserver/pull/12276
https://github.com/apache/trafficserver/blob/28710feefbcd5f10ce5def123f6fbd3e09fc1b79/src/tscore/ink_cap.cc#L407-L410 Fix the TOCTOU race condition, we should replace the `chmod` call with `fchmod`, which operates on a file descriptor rather than a file path. This ensures that the permissions are applied to the same file that was opened, regardless of any changes to the file system in the meantime. The fix involves: 1. Opening the file using `open` to obtain a file descriptor. 2. Using `fchmod` to change the permissions of the file referenced by the file descriptor. 3. Closing the file descriptor after the operation. This approach ensures that the file being operated on is the same file that was opened, eliminating the race condition. [FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification) The following shows a case where a file is opened and then, if the opening was successful, its permissions are changed with `chmod`. However, an attacker might change the target of the file name between the initial opening and the permissions change, potentially changing the permissions of a different file. ```cc char *file_name; FILE *f_ptr; /* Initialize file_name */ f_ptr = fopen(file_name, "w"); if (f_ptr == NULL) { /* Handle error */ } /* ... */ if (chmod(file_name, S_IRUSR) == -1) { /* Handle error */ } fclose(f_ptr); ``` This can be avoided by using `fchmod` with the file descriptor that was received from opening the file. This ensures that the permissions change is applied to the very same file that was opened. ```cc char *file_name; int fd; /* Initialize file_name */ fd = open( file_name, O_WRONLY | O_CREAT | O_EXCL, S_IRWXU ); if (fd == -1) { /* Handle error */ } /* ... */ if (fchmod(fd, S_IRUSR) == -1) { /* Handle error */ } close(fd); ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
