Check that the directory does not exist.
Otherwise, it could allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names. Reported as CVE-2014-2893 ( https://security-tracker.debian.org/tracker/CVE-2014-2893 ) Found by Jakub Wilk llvm-svn: 211051
This commit is contained in:
parent
675d279af4
commit
c7bc52596f
|
@ -206,6 +206,12 @@ sub GetHTMLRunDir {
|
|||
else {
|
||||
$NewDir = "$Dir/$DateString-$RunNumber";
|
||||
}
|
||||
|
||||
# Make sure that the directory does not exist in order to avoid hijack.
|
||||
if (-d $NewDir) {
|
||||
DieDiag("The directory '$NewDir' already exists.\n");
|
||||
}
|
||||
|
||||
mkpath($NewDir);
|
||||
return $NewDir;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue