From: Otto <otto.moerbeek@open-xchange.com>
Date: Fri, 24 Sep 2021 12:11:19 +0000 (+0200)
Subject: Don't create file with wide permissions as noted by CodeQL
X-Git-Tag: auth-4.6.0-alpha1~21^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ef9159f5228da7df681aff74629d8c89610416b;p=thirdparty%2Fpdns.git

Don't create file with wide permissions as noted by CodeQL
---

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index ccc287ed6d..076a8d39bc 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -15,6 +15,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
+#include <fcntl.h>
 
 #ifdef HAVE_LIBSODIUM
 #include <sodium.h>
@@ -779,8 +780,13 @@ static void libssl_key_log_file_callback(const SSL* ssl, const char* line)
 std::unique_ptr<FILE, int(*)(FILE*)> libssl_set_key_log_file(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, const std::string& logFile)
 {
 #ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
-  auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(logFile.c_str(), "a"), fclose);
+  int fd = open(logFile.c_str(),  O_WRONLY | O_CREAT, 0600);
+  if (fd == -1) {
+    throw std::runtime_error("Error opening TLS log file '" + logFile + "'");
+  }
+  auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(fd, "a"), fclose);
   if (!fp) {
+    close(fd);
     throw std::runtime_error("Error opening TLS log file '" + logFile + "'");
   }