Re: [freenet-dev] [freenet-cvs] r12155 - trunk/freenet/src/freenet/node/fcp

Fri, 16 Mar 2007 13:35:28 -0800 

There is a potential race condition here. You MUST pass in arguments to
FileOutputStream telling it not to overwrite an existing file, in the
case that the argument was passed in by the client. Or you can get e.g.
symlink attacks.

BTW, why so many options? Why not simply *always* generate a new temp
file to write to? Simplicity is good...

Also didn't you say it would be restricted to the download dir? I'm not
convinced that's a good idea admittedly - you might want a list of
allowed dirs anyway?

On Fri, Mar 16, 2007 at 05:43:47PM +0000, [EMAIL PROTECTED] wrote:
> Author: saces
> Date: 2007-03-16 17:43:46 +0000 (Fri, 16 Mar 2007)
> New Revision: 12155
> 
> Added:
>    trunk/freenet/src/freenet/node/fcp/TestDDAMessage.java
> Log:
> new TestDDA command
> 
> +                     File f;
> +                     try {
> +                             if (writefilename.trim().length() == 0) {
> +                                     //generate one
> +                                     f = File.createTempFile("NodeDDAtest", 
> ".dat", dir);
> +                                     writeTestFilename = f.getName();
> +                             } else { 
> +                                     f = new File(dir, writefilename);
> +                                     if (f.exists()) {
> +                                             throw new 
> MessageInvalidException(ProtocolErrorMessage.DISK_TARGET_EXISTS, "Write test 
> target file can't exist!", identifier, false);
> +                                     }
> +                             }
> +                     
> +                             f.deleteOnExit();
> +                     
> +                             FileOutputStream fos = new FileOutputStream(f);
> +                             fos.write(b);
> +                             fos.close();
> +                     
> +                             FileInputStream fis = new FileInputStream(f);
> +                     
> +                             byte[] bb = new byte[8];
> +
> +                             fis.read(bb);
> +                             fis.close();
> +                     
> +                             writeResult= HexUtil.bytesToHex(bb, 0 ,8);
> +                             resultWrite = Arrays.equals(b, bb);
> +                             
> +                             if (deleteFile) 
> +                                     f.delete();
> +                             
> +                     } catch (IOException ioe) {
> +                     }
> +             }
> +             status = 0;
> +     }
> +     
> +     private String getStatus() {
> +             if (status == 0) return "Done";
> +             if (status > 0) return "Failed";
> +             return "Unknown";
> +     }
> +     
> +     private String getResultName(boolean rn) {
> +             if (rn) return "OK";
> +             return "Failed";
> +     }
> +
> +}
> 
> _______________________________________________
> cvs mailing list
> [email protected]
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs
>

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Devl mailing list
[email protected]
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl

Reply via email to