From: Tomas Hoger Date: Sun, 9 Feb 2014 08:40:59 +0000 (+0100) Subject: Fix CVE-2014-0012 X-Git-Tag: 2.7.3~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=964c61ce79f6748ff8c583e2eb12ec54082bf188;p=thirdparty%2Fjinja.git Fix CVE-2014-0012 Add checks for the per-user temporary directory. If it already exists, make sure that it: - is owned by the current user - is directory - has expected permissions This commit also fixes: - nt -> n typo pointed out in the review of acb672b - replace 448 with stat.S_IRWXU when setting directory mode Signed-off-by: Armin Ronacher --- diff --git a/jinja2/bccache.py b/jinja2/bccache.py index 09ff8450..2d28ab8b 100644 --- a/jinja2/bccache.py +++ b/jinja2/bccache.py @@ -16,6 +16,7 @@ """ from os import path, listdir import os +import stat import sys import errno import marshal @@ -215,7 +216,7 @@ class FileSystemBytecodeCache(BytecodeCache): # On windows the temporary directory is used specific unless # explicitly forced otherwise. We can just use that. - if os.name == 'n': + if os.name == 'nt': return tmpdir if not hasattr(os, 'getuid'): raise RuntimeError('Cannot determine safe temp directory. You ' @@ -224,12 +225,18 @@ class FileSystemBytecodeCache(BytecodeCache): dirname = '_jinja2-cache-%d' % os.getuid() actual_dir = os.path.join(tmpdir, dirname) try: - # 448 == 0700 - os.mkdir(actual_dir, 448) + os.mkdir(actual_dir, stat.S_IRWXU) # 0o700 except OSError as e: if e.errno != errno.EEXIST: raise + actual_dir_stat = os.lstat(actual_dir) + if actual_dir_stat.st_uid != os.getuid() \ + or not stat.S_ISDIR(actual_dir_stat.st_mode) \ + or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU: + raise RuntimeError('Temporary directory \'%s\' has an incorrect ' + 'owner, permissions, or type.' % actual_dir) + return actual_dir def _get_cache_filename(self, bucket):