fedora 24
tmpfile weakness #16

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

modsecurity-2.9.0/apache2/msc_util.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 tmpfile weakness.

     apr_time_exp_lt(&t, apr_time_now());

    apr_strftime(tstr, &len, 80, "%Y%m%d-%H%M%S", &t);
    return apr_pstrdup(mp, tstr);
}

/**
 *
 */
int msc_mkstemp_ex(char *templat, int mode) {
    int fd = -1;

    /* ENH Use apr_file_mktemp instead. */

#if !(defined(WIN32)||defined(NETWARE))
    fd = mkstemp(templat);
#ifdef HAVE_FCHMOD
    if ((fd != -1) && (mode != 0)) {
        if (fchmod(fd, mode) == -1) {
            return -1;
        }
    }
#endif /* HAVE_FCHMOD */
#else
    if (mktemp(templat) == NULL) return -1;
    fd = open(templat, O_WRONLY | O_APPEND | O_CREAT | O_BINARY, mode);
#endif /* !(defined(WIN32)||defined(NETWARE)) */

    return fd;
}

/**
 *
 */
int msc_mkstemp(char *templat) {
    return msc_mkstemp_ex(templat, CREATEMODE_UNISTD);
}

/**
 * Converts the input string to lowercase (in-place).
 */
char *strtolower_inplace(unsigned char *str) {
    unsigned char *c = str;

    if (str == NULL) return NULL;

    while(*c != 0) {
        *c = tolower(*c);
        c++;
    } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.