jeremy/callisto
1
Fork 0
Code Releases Activity

fs: fix security issues in mkdir and mkpath

Browse source 
777 is writable to anyone, 755 is only writable to the owner/group
This commit is contained in:
Jeremy Baxter 2024-03-24 14:06:56 +13:00
parent dac9418d8e
commit a1c2f49232
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lfs.c
View file

@ -389,7 +389,7 @@ fs_mkpath(lua_State *L)
int done; int done;
path = luaL_checkstring(L, 1); path = luaL_checkstring(L, 1);
mode = dir_mode = 0777; mode = dir_mode = 0755;
slash = (char *)path; slash = (char *)path;
for (;;) { for (;;) {
@ -400,7 +400,7 @@ fs_mkpath(lua_State *L)
*slash = '\0'; *slash = '\0';
if (mkdir(path, done ? mode : dir_mode) == 0) { if (mkdir(path, done ? mode : dir_mode) == 0) {
if (mode > 0777 && chmod(path, mode) == -1) if (mode > 0755 && chmod(path, mode) == -1)
return lfail(L); return lfail(L);
} else { } else {
int mkdir_errno = errno; int mkdir_errno = errno;
@ -447,7 +447,7 @@ fs_mkdir(lua_State *L)
int ret; int ret;
dir = strdup(luaL_checkstring(L, 1)); dir = strdup(luaL_checkstring(L, 1));
ret = mkdir(dir, 0777); ret = mkdir(dir, 0755);
free(dir); free(dir);
if (ret == 0) { if (ret == 0) {