tmpdir.rb: permission of user given directory

* lib/tmpdir.rb (Dir.mktmpdir): check if the permission of the parent directory only when using the default temporary directory, and no check against user given directory. the security is the user's responsibility in that case. [ruby-core:91216] [Bug #15555] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66909 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
akkyta · Jan 23, 2019 · 1fae154 · 1fae154
1 parent 05c3256
commit 1fae154
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/lib/tmpdir.rb b/lib/tmpdir.rb
@@ -83,14 +83,20 @@ def self.tmpdir
   #  end
   #
   def self.mktmpdir(prefix_suffix=nil, *rest)
-    path = Tmpname.create(prefix_suffix || "d", *rest) {|n| mkdir(n, 0700)}
+    base = nil
+    path = Tmpname.create(prefix_suffix || "d", *rest) {|path, _, _, d|
+      base = d
+      mkdir(path, 0700)
+    }
     if block_given?
       begin
         yield path
       ensure
-        stat = File.stat(File.dirname(path))
-        if stat.world_writable? and !stat.sticky?
-          raise ArgumentError, "parent directory is world writable but not sticky"
+        unless base
+          stat = File.stat(File.dirname(path))
+          if stat.world_writable? and !stat.sticky?
+            raise ArgumentError, "parent directory is world writable but not sticky"
+          end
         end
         FileUtils.remove_entry path
       end
@@ -110,6 +116,7 @@ def create(basename, tmpdir=nil, max_try: nil, **opts)
       if $SAFE > 0 and tmpdir.tainted?
         tmpdir = '/tmp'
       else
+        origdir = tmpdir
         tmpdir ||= tmpdir()
       end
       n = nil
@@ -125,7 +132,7 @@ def create(basename, tmpdir=nil, max_try: nil, **opts)
         path = "#{prefix}#{t}-#{$$}-#{rand(0x100000000).to_s(36)}"\
                "#{n ? %[-#{n}] : ''}#{suffix||''}"
         path = File.join(tmpdir, path)
-        yield(path, n, opts)
+        yield(path, n, opts, origdir)
       rescue Errno::EEXIST
         n ||= 0
         n += 1

diff --git a/test/test_tmpdir.rb b/test/test_tmpdir.rb
@@ -33,6 +33,12 @@ def test_world_writable
         assert_equal(tmpdir, Dir.tmpdir)
         File.chmod(0777, tmpdir)
         assert_not_equal(tmpdir, Dir.tmpdir)
+        newdir = Dir.mktmpdir("d", tmpdir) do |dir|
+          assert_file.directory? dir
+          assert_equal(tmpdir, File.dirname(dir))
+          dir
+        end
+        assert_file.not_exist?(newdir)
         File.chmod(01777, tmpdir)
         assert_equal(tmpdir, Dir.tmpdir)
       ensure