diff options
| author | Lamont Granquist <lamont@scriptkiddie.org> | 2013-10-22 12:00:57 -0700 |
|---|---|---|
| committer | Lamont Granquist <lamont@scriptkiddie.org> | 2013-10-23 17:15:10 -0700 |
| commit | 632b134e5bebe06acb91e03867eb453f05fe9c1b (patch) | |
| tree | 391754df7ea378acc28c709aaf5c283bb1d6088f | |
| parent | 026c5ab32c2773d8a8a9bd9c318a6b21aac8f4fd (diff) | |
| download | chef-632b134e5bebe06acb91e03867eb453f05fe9c1b.tar.gz | |
fix insecure tempfiles
- modernizes all the tempfile code as well
| -rw-r--r-- | lib/chef/knife/core/node_editor.rb | 20 | ||||
| -rw-r--r-- | lib/chef/knife/core/ui.rb | 23 | ||||
| -rw-r--r-- | lib/chef/knife/edit.rb | 11 |
3 files changed, 21 insertions, 33 deletions
diff --git a/lib/chef/knife/core/node_editor.rb b/lib/chef/knife/core/node_editor.rb index 7707743ce5..2fe090d114 100644 --- a/lib/chef/knife/core/node_editor.rb +++ b/lib/chef/knife/core/node_editor.rb @@ -18,6 +18,7 @@ require 'chef/json_compat' require 'chef/node' +require 'tempfile' class Chef class Knife @@ -109,20 +110,15 @@ class Chef end def tempfile_for(data) - # TODO: include useful info like the node name in the temp file - # name - basename = "knife-edit-" << rand(1_000_000_000_000_000).to_s.rjust(15, '0') << '.json' - filename = File.join(Dir.tmpdir, basename) - File.open(filename, "w+") do |f| - f.sync = true - f.puts data - end + Tempfile.new([ 'knife-edit-', '.json' ]) do |file| + file.sync = true + file.puts data + file.close - yield filename + yield file.path - IO.read(filename) - ensure - File.unlink(filename) + IO.read(file.path) + end end end end diff --git a/lib/chef/knife/core/ui.rb b/lib/chef/knife/core/ui.rb index d0bdaa7ac0..0b39243966 100644 --- a/lib/chef/knife/core/ui.rb +++ b/lib/chef/knife/core/ui.rb @@ -21,6 +21,7 @@ require 'forwardable' require 'chef/platform/query_helpers' require 'chef/knife/core/generic_presenter' +require 'tempfile' class Chef class Knife @@ -165,19 +166,15 @@ class Chef output = Chef::JSONCompat.to_json_pretty(data) if (!config[:disable_editing]) - filename = "knife-edit-" - 0.upto(20) { filename += rand(9).to_s } - filename << ".json" - filename = File.join(Dir.tmpdir, filename) - tf = File.open(filename, "w") - tf.sync = true - tf.puts output - tf.close - raise "Please set EDITOR environment variable" unless system("#{config[:editor]} #{tf.path}") - tf = File.open(filename, "r") - output = tf.gets(nil) - tf.close - File.unlink(filename) + Tempfile.new([ 'knife-edit-', '.json' ]) do |tf| + tf.sync = true + tf.puts output + tf.close + + raise "Please set EDITOR environment variable" unless system("#{config[:editor]} #{tf.path}") + + output = IO.read(tf.path) + end end parse_output ? Chef::JSONCompat.from_json(output) : output diff --git a/lib/chef/knife/edit.rb b/lib/chef/knife/edit.rb index 830da84a12..442b0e08c2 100644 --- a/lib/chef/knife/edit.rb +++ b/lib/chef/knife/edit.rb @@ -51,10 +51,8 @@ class Chef def edit_text(text, extension) if (!config[:disable_editing]) - file = Tempfile.new([ 'knife-edit-', extension ]) - begin + Tempfile.new([ 'knife-edit-', extension ]) do |file| # Write the text to a temporary file - file.open file.write(text) file.close @@ -63,12 +61,9 @@ class Chef raise "Please set EDITOR environment variable" end - file.open - result_text = file.read - return result_text if result_text != text + result_text = IO.read(file.path) - ensure - file.close! + return result_text if result_text != text end end end |