[mythtv-commits] Ticket #5288: HTTPRequest::SendResponseFile file race and negative returns
MythTV
mythtv at cvs.mythtv.org
Sat May 3 21:56:39 UTC 2008
#5288: HTTPRequest::SendResponseFile file race and negative returns
---------------------------------------------+------------------------------
Reporter: Erik Hovland <erik at hovland.org> | Owner: ijr
Type: defect | Status: new
Priority: minor | Milestone: unknown
Component: mythtv | Version: head
Severity: low | Mlocked: 0
---------------------------------------------+------------------------------
A file race exists in HTTPRequest::SendResponseFile often termed as "time
of check, time of use". The function has a string which should be a file
name. That string is used to get the files information with a stat() call.
Then (in this case) the file is opened using the same string. A nefarious
user could exploit the time in between these two calls to get the function
to open whatever file it wants as long as it is still called the same
thing by the string since the stat information was retrieved. The second
defect is that open() is called but the returned file descriptor is not
checked to see if the open() worked. Then the function passes the file
descriptor to close(), if it is negative - close()'es behavior is
unspecified and might cause crashing.
The patches solution is to do a QFile::open() instead of a QFile::exists()
on the file name. And error out if there was a problem. Then use the
QFile::size() instead of stat to get the amount of bytes in the file.
Finally, the open() call is removed and the file will close when the QFile
object goes out of scope.
--
Ticket URL: <http://svn.mythtv.org/trac/ticket/5288>
MythTV <http://www.mythtv.org/>
MythTV
More information about the mythtv-commits
mailing list