author | erik <erik> | 2007-01-26 20:30:32 (UTC) |
---|---|---|
committer | erik <erik> | 2007-01-26 20:30:32 (UTC) |
commit | f77da1ae08512b02a3c50a124f823ed77e53dd64 (patch) (unidiff) | |
tree | ac7e414aff95348e0bf2fba3f45b2a06a4eb4623 /core/apps | |
parent | 4688f98202f590ec6af6c2e66a49dd2f80536083 (diff) | |
download | opie-f77da1ae08512b02a3c50a124f823ed77e53dd64.zip opie-f77da1ae08512b02a3c50a124f823ed77e53dd64.tar.gz opie-f77da1ae08512b02a3c50a124f823ed77e53dd64.tar.bz2 |
Both packageslave.cpp and textedit.cpp have instances of possibly exploitable
race conditions associated to files. The big deal is that it is quite typical
to use strings of pathnames to track files. But because that does not leverage
the filesystem would be attackers may be able to exploit time lags in uses
of filesystem functions (like stat and chmod or open) to get files with
suspect data into the files that the applications are working with.
This commit closes that potential hole even though there are no known exploits.
Better safe then sorry. There is no change in the behavior of the apps.
-rw-r--r-- | core/apps/textedit/textedit.cpp | 45 |
1 files changed, 21 insertions, 24 deletions
diff --git a/core/apps/textedit/textedit.cpp b/core/apps/textedit/textedit.cpp index 4bbc62b..1c81a55 100644 --- a/core/apps/textedit/textedit.cpp +++ b/core/apps/textedit/textedit.cpp | |||
@@ -782,3 +782,3 @@ void TextEdit::showEditTools() { | |||
782 | bool TextEdit::save() { | 782 | bool TextEdit::save() { |
783 | QString name, file; | 783 | QString name, file; |
784 | odebug << "saveAsFile " + currentFileName << oendl; | 784 | odebug << "saveAsFile " + currentFileName << oendl; |
@@ -788,12 +788,11 @@ bool TextEdit::save() { | |||
788 | } | 788 | } |
789 | name = currentFileName; | 789 | if(doc) { |
790 | if(doc) { | 790 | file = doc->file(); |
791 | file = doc->file(); | 791 | odebug << "saver file "+file << oendl; |
792 | odebug << "saver file "+file << oendl; | 792 | name = doc->name(); |
793 | name = doc->name(); | 793 | odebug << "File named "+name << oendl; |
794 | odebug << "File named "+name << oendl; | 794 | } else { |
795 | } else { | 795 | file = currentFileName; |
796 | file = currentFileName; | ||
797 | name = QFileInfo(currentFileName).baseName(); | 796 | name = QFileInfo(currentFileName).baseName(); |
798 | } | 797 | } |
799 | 798 | ||
@@ -809,3 +808,4 @@ bool TextEdit::save() { | |||
809 | mode_t mode; | 808 | mode_t mode; |
810 | stat(file.latin1(), &buf); | 809 | QFile f(file); |
810 | fstat(f.handle(), &buf); | ||
811 | mode = buf.st_mode; | 811 | mode = buf.st_mode; |
@@ -816,3 +816,3 @@ bool TextEdit::save() { | |||
816 | if ( !fm.saveFile( *doc, rt ) ) { | 816 | if ( !fm.saveFile( *doc, rt ) ) { |
817 | QMessageBox::message(tr("Text Edit"),tr("Save Failed")); | 817 | QMessageBox::message(tr("Text Edit"),tr("Save Failed")); |
818 | return false; | 818 | return false; |
@@ -821,11 +821,9 @@ bool TextEdit::save() { | |||
821 | odebug << "regular save file" << oendl; | 821 | odebug << "regular save file" << oendl; |
822 | QFile f(file); | 822 | if( f.open(IO_WriteOnly)) { |
823 | if( f.open(IO_WriteOnly)) { | 823 | QCString crt = rt.utf8(); |
824 | QCString crt = rt.utf8(); | 824 | f.writeBlock(crt,crt.length()); |
825 | f.writeBlock(crt,crt.length()); | 825 | } else { |
826 | } else { | 826 | QMessageBox::message(tr("Text Edit"),tr("Write Failed")); |
827 | QMessageBox::message(tr("Text Edit"),tr("Write Failed")); | 827 | return false; |
828 | return false; | 828 | } |
829 | } | ||
830 | |||
831 | } | 829 | } |
@@ -835,6 +833,5 @@ bool TextEdit::save() { | |||
835 | if(caption().left(1)=="*") | 833 | if(caption().left(1)=="*") |
836 | setCaption(caption().right(caption().length()-1)); | 834 | setCaption(caption().right(caption().length()-1)); |
837 | |||
838 | 835 | ||
839 | chmod( file.latin1(), mode); | 836 | fchmod( f.handle(), mode); |
840 | } | 837 | } |