Please review pull request #629: (#13643) Make the use of FileUtils.rm_rf secure opened by (kelseyhightower)
Description:
Use the :secure option with the FileUtils.rm_rf method to
avoid a TOCTTOU (time-of-check-to-time-of-use) local security
vulnerability.
- Opened: Thu Apr 05 13:43:59 UTC 2012
- Based on: puppetlabs:2.7.x (d88f3e7c387eff270101604f2fec2e086f88ebdd)
- Requested merge: kelseyhightower:ticket/2.7.x/13643_make_rm_rf_secure (9cbda4997d6456f74006f6b0c4691f7ec4292805)
Diff follows:
diff --git a/lib/puppet/module_tool/applications/builder.rb b/lib/puppet/module_tool/applications/builder.rb
index 322020a..4fb9f26 100644
--- a/lib/puppet/module_tool/applications/builder.rb
+++ b/lib/puppet/module_tool/applications/builder.rb
@@ -61,7 +61,7 @@ def gzip
def create_directory
FileUtils.mkdir(@pkg_path) rescue nil
if File.directory?(build_path)
- FileUtils.rm_rf(build_path)
+ FileUtils.rm_rf(build_path, :secure => true)
end
FileUtils.mkdir(build_path)
end
diff --git a/lib/puppet/module_tool/applications/uninstaller.rb b/lib/puppet/module_tool/applications/uninstaller.rb
index 2ee9b98..5ffaecd 100644
--- a/lib/puppet/module_tool/applications/uninstaller.rb
+++ b/lib/puppet/module_tool/applications/uninstaller.rb
@@ -22,7 +22,7 @@ def run
begin
find_installed_module
validate_module
- FileUtils.rm_rf(@installed.first.path)
+ FileUtils.rm_rf(@installed.first.path, :secure => true)
results[:affected_modules] = @installed
results[:result] = :success
diff --git a/lib/puppet/module_tool/applications/unpacker.rb b/lib/puppet/module_tool/applications/unpacker.rb
index f06c62d..67a76fb 100644
--- a/lib/puppet/module_tool/applications/unpacker.rb
+++ b/lib/puppet/module_tool/applications/unpacker.rb
@@ -41,7 +41,7 @@ def extract_module_to_install_dir
def delete_existing_installation_or_abort!
return unless @module_dir.exist?
- FileUtils.rm_rf @module_dir
+ FileUtils.rm_rf(@module_dir, :secure => true)
end
end
end
-- You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
