luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2024-11-10 03:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ensure g_file_copy() does not temporarily expose private files

Browse Source 
Previously, g_file_copy() would (on Unix) create files with the
default mode of 644.  For applications which might at user request
copy arbitrary private files such as ~/.ssh or /etc/shadow, a
world-readable copy would be temporarily exposed.

This patch is suboptimal in that it *only* fixes g_file_copy()
for the case where both source and destination are instances of
GLocalFile on Unix.

The reason for this is that the public GFile APIs for creating files
allow very limited control over the access permissions for the created
file; one can either say a file is "private" or not.  Fixing
this by adding e.g. g_file_create_with_attributes() would make sense,
except this would entail 8 new API calls for all the variants of
_create(), _create_async(), _replace(), _replace_async(),
_create_readwrite(), _create_readwrite_async(), _replace_readwrite(),
_replace_readwrite_async().  That can be done as a separate patch
later.

https://bugzilla.gnome.org/show_bug.cgi?id=699959
This commit is contained in:
Colin Walters 2013-05-12 07:28:01 +01:00
parent 02aaef5a4d
commit 9f1a0b57cd
5 changed files with 63 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
gio/gfile.c
View File

@ -60,6 +60,7 @@
#include "gfileoutputstream.h"
#include "glocalfileoutputstream.h"
#include "glocalfileiostream.h"
#include "glocalfile.h"
#include "gcancellable.h"
#include "gasyncresult.h"
#include "gioerror.h"
@ -3099,7 +3100,28 @@ file_copy_fallback (GFile *source,
do_set_attributes = TRUE;
}
if (flags & G_FILE_COPY_OVERWRITE)
/* In the local file path, we pass down the source info which
* includes things like unix::mode, to ensure that the target file
* is not created with different permissions from the source file.
*
* If a future API like g_file_replace_with_info() is added, switch
* this code to use that.
*/
if (G_IS_LOCAL_FILE (destination))
{
if (flags & G_FILE_COPY_OVERWRITE)
out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
FALSE, NULL,
flags & G_FILE_COPY_BACKUP,
G_FILE_CREATE_REPLACE_DESTINATION,
info,
cancellable, error);
else
out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
FALSE, 0, info,
cancellable, error);
}
else if (flags & G_FILE_COPY_OVERWRITE)
{
out = (GOutputStream *)g_file_replace (destination,
NULL,

23
gio/glocalfile.c
View File

@ -187,6 +187,11 @@ g_local_file_init (GLocalFile *local)
{
}
const char *
_g_local_file_get_filename (GLocalFile *file)
{
return file->filename;
}
static char *
canonicalize_filename (const char *filename)
@ -1396,8 +1401,8 @@ g_local_file_create (GFile *file,
GError **error)
{
return _g_local_file_output_stream_create (G_LOCAL_FILE (file)->filename,
FALSE,
flags, cancellable, error);
FALSE, flags, NULL,
cancellable, error);
}
static GFileOutputStream *
@ -1409,9 +1414,9 @@ g_local_file_replace (GFile *file,
GError **error)
{
return _g_local_file_output_stream_replace (G_LOCAL_FILE (file)->filename,
FALSE,
etag, make_backup, flags,
cancellable, error);
FALSE,
etag, make_backup, flags, NULL,
cancellable, error);
}
static GFileIOStream *
@ -1443,7 +1448,7 @@ g_local_file_create_readwrite (GFile *file,
GFileIOStream *res;
output = _g_local_file_output_stream_create (G_LOCAL_FILE (file)->filename,
TRUE, flags,
TRUE, flags, NULL,
cancellable, error);
if (output == NULL)
return NULL;
@ -1465,9 +1470,9 @@ g_local_file_replace_readwrite (GFile *file,
GFileIOStream *res;
output = _g_local_file_output_stream_replace (G_LOCAL_FILE (file)->filename,
TRUE,
etag, make_backup, flags,
cancellable, error);
TRUE,
etag, make_backup, flags, NULL,
cancellable, error);
if (output == NULL)
return NULL;

2
gio/glocalfile.h
View File

@ -46,6 +46,8 @@ GType _g_local_file_get_type (void) G_GNUC_CONST;
GFile * _g_local_file_new (const char *filename);
const char * _g_local_file_get_filename (GLocalFile *file);
G_END_DECLS
#endif /* __G_LOCAL_FILE_H__ */

36
gio/glocalfileoutputstream.c
View File

@ -37,6 +37,7 @@
#include "gioerror.h"
#include "gcancellable.h"
#include "glocalfileoutputstream.h"
#include "gfileinfo.h"
#include "glocalfileinfo.h"
#ifdef G_OS_UNIX
@ -608,10 +609,23 @@ _g_local_file_output_stream_open (const char *filename,
return output_stream_open (filename, open_flags, 0666, cancellable, error);
}
static gint
mode_from_flags_or_info (GFileCreateFlags flags,
GFileInfo *reference_info)
{
if (flags & G_FILE_CREATE_PRIVATE)
return 0600;
else if (reference_info && g_file_info_has_attribute (reference_info, "unix::mode"))
return g_file_info_get_attribute_uint32 (reference_info, "unix::mode") & (~S_IFMT);
else
return 0666;
}
GFileOutputStream *
_g_local_file_output_stream_create (const char *filename,
gboolean readable,
GFileCreateFlags flags,
GFileInfo *reference_info,
GCancellable *cancellable,
GError **error)
{
@ -621,10 +635,7 @@ _g_local_file_output_stream_create (const char *filename,
if (g_cancellable_set_error_if_cancelled (cancellable, error))
return NULL;
if (flags & G_FILE_CREATE_PRIVATE)
mode = 0600;
else
mode = 0666;
mode = mode_from_flags_or_info (flags, reference_info);
open_flags = O_CREAT | O_EXCL | O_BINARY;
if (readable)
@ -735,6 +746,7 @@ handle_overwrite_open (const char *filename,
gboolean create_backup,
char **temp_filename,
GFileCreateFlags flags,
GFileInfo *reference_info,
GCancellable *cancellable,
GError **error)
{
@ -746,10 +758,7 @@ handle_overwrite_open (const char *filename,
int res;
int mode;
if (flags & G_FILE_CREATE_PRIVATE)
mode = 0600;
else
mode = 0666;
mode = mode_from_flags_or_info (flags, reference_info);
/* We only need read access to the original file if we are creating a backup.
* We also add O_CREATE to avoid a race if the file was just removed */
@ -1070,6 +1079,7 @@ _g_local_file_output_stream_replace (const char *filename,
const char *etag,
gboolean create_backup,
GFileCreateFlags flags,
GFileInfo *reference_info,
GCancellable *cancellable,
GError **error)
{
@ -1085,10 +1095,7 @@ _g_local_file_output_stream_replace (const char *filename,
temp_file = NULL;
if (flags & G_FILE_CREATE_PRIVATE)
mode = 0600;
else
mode = 0666;
mode = mode_from_flags_or_info (flags, reference_info);
sync_on_close = FALSE;
/* If the file doesn't exist, create it */
@ -1103,8 +1110,9 @@ _g_local_file_output_stream_replace (const char *filename,
{
/* The file already exists */
fd = handle_overwrite_open (filename, readable, etag,
create_backup, &temp_file,
flags, cancellable, error);
create_backup, &temp_file,
flags, reference_info,
cancellable, error);
if (fd == -1)
return NULL;

2
gio/glocalfileoutputstream.h
View File

@ -67,6 +67,7 @@ GFileOutputStream * _g_local_file_output_stream_open (const char *file
GFileOutputStream * _g_local_file_output_stream_create (const char *filename,
gboolean readable,
GFileCreateFlags flags,
GFileInfo *reference_info,
GCancellable *cancellable,
GError **error);
GFileOutputStream * _g_local_file_output_stream_append (const char *filename,
@ -78,6 +79,7 @@ GFileOutputStream * _g_local_file_output_stream_replace (const char *file
const char *etag,
gboolean create_backup,
GFileCreateFlags flags,
GFileInfo *reference_info,
GCancellable *cancellable,
GError **error);