You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jclouds.apache.org by ga...@apache.org on 2014/07/02 09:15:01 UTC
git commit: JCLOUDS-612: Securely create temporary directories
Repository: jclouds
Updated Branches:
refs/heads/1.7.x 7f2845349 -> 0cb2a1563
JCLOUDS-612: Securely create temporary directories
This commit addresses a potential security issue where an attacker
could hijack the ScriptBuilder payload by predicting the temporary
directory name.
Project: http://git-wip-us.apache.org/repos/asf/jclouds/repo
Commit: http://git-wip-us.apache.org/repos/asf/jclouds/commit/0cb2a156
Tree: http://git-wip-us.apache.org/repos/asf/jclouds/tree/0cb2a156
Diff: http://git-wip-us.apache.org/repos/asf/jclouds/diff/0cb2a156
Branch: refs/heads/1.7.x
Commit: 0cb2a1563dc9b175fbef1972a4e528e9a74e2b1a
Parents: 7f28453
Author: Andrew Gaul <ga...@apache.org>
Authored: Thu Jun 19 14:20:26 2014 -0700
Committer: Andrew Gaul <ga...@apache.org>
Committed: Wed Jul 2 00:14:27 2014 -0700
----------------------------------------------------------------------
compute/src/test/resources/initscript_with_jetty.sh | 8 ++++----
.../java/org/jclouds/scriptbuilder/domain/Statements.java | 9 +++++----
.../org/jclouds/scriptbuilder/domain/StatementsTest.java | 8 ++++----
.../scriptbuilder/statements/ruby/InstallRubyGemsTest.java | 6 +++---
scriptbuilder/src/test/resources/test_install_rubygems.sh | 8 ++++----
.../test/resources/test_install_rubygems_scriptbuilder.sh | 8 ++++----
6 files changed, 24 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/compute/src/test/resources/initscript_with_jetty.sh
----------------------------------------------------------------------
diff --git a/compute/src/test/resources/initscript_with_jetty.sh b/compute/src/test/resources/initscript_with_jetty.sh
index fca9683..741b6d2 100644
--- a/compute/src/test/resources/initscript_with_jetty.sh
+++ b/compute/src/test/resources/initscript_with_jetty.sh
@@ -227,11 +227,11 @@ END_OF_JCLOUDS_SCRIPT
installOpenJDK || return 1
iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT
iptables-save
- mkdir /tmp/$$
- curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://archive.eclipse.org/jetty/8.1.8.v20121106/dist/jetty-distribution-8.1.8.v20121106.tar.gz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)
+ export TAR_TEMP="$(mktemp -d)"
+ curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://archive.eclipse.org/jetty/8.1.8.v20121106/dist/jetty-distribution-8.1.8.v20121106.tar.gz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /usr/local/jetty
- mv /tmp/$$/*/* /usr/local/jetty
- rm -rf /tmp/$$
+ mv "${TAR_TEMP}"/*/* /usr/local/jetty
+ rm -rf "${TAR_TEMP}"
chown -R web /usr/local/jetty
END_OF_JCLOUDS_SCRIPT
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java
----------------------------------------------------------------------
diff --git a/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java b/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java
index 365d6a3..6d0dcdc 100644
--- a/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java
+++ b/scriptbuilder/src/main/java/org/jclouds/scriptbuilder/domain/Statements.java
@@ -189,11 +189,12 @@ public class Statements {
*/
public static Statement extractTargzAndFlattenIntoDirectory(URI tgz, String dest) {
return new StatementList(ImmutableSet.<Statement> builder()
- .add(exec("mkdir /tmp/$$"))
- .add(extractTargzIntoDirectory(tgz, "/tmp/$$"))
+ .add(exec("export TAR_TEMP=\"$(mktemp -d)\""))
+ .add(extractTargzIntoDirectory(tgz, "\"${TAR_TEMP}\""))
.add(exec("mkdir -p " + dest))
- .add(exec("mv /tmp/$$/*/* " + dest))
- .add(exec("rm -rf /tmp/$$")).build());
+ .add(exec("mv \"${TAR_TEMP}\"/*/* " + dest))
+ .add(exec("rm -rf \"${TAR_TEMP}\""))
+ .build());
}
public static Statement extractTargzIntoDirectory(URI targz, String directory) {
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/domain/StatementsTest.java
----------------------------------------------------------------------
diff --git a/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/domain/StatementsTest.java b/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/domain/StatementsTest.java
index 1ea5234..8bd1143 100644
--- a/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/domain/StatementsTest.java
+++ b/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/domain/StatementsTest.java
@@ -54,11 +54,11 @@ public class StatementsTest {
"/usr/local/maven");
assertEquals(
save.render(OsFamily.UNIX),
- "mkdir /tmp/$$\n" +
- "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://www.us.apache.org/dist/maven/binaries/apache-maven-3.0.4-bin.tar.gz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)\n" +
+ "export TAR_TEMP=\"$(mktemp -d)\"\n" +
+ "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://www.us.apache.org/dist/maven/binaries/apache-maven-3.0.4-bin.tar.gz |(mkdir -p \"${TAR_TEMP}\" &&cd \"${TAR_TEMP}\" &&tar -xpzf -)\n" +
"mkdir -p /usr/local/maven\n" +
- "mv /tmp/$$/*/* /usr/local/maven\n" +
- "rm -rf /tmp/$$\n");
+ "mv \"${TAR_TEMP}\"/*/* /usr/local/maven\n" +
+ "rm -rf \"${TAR_TEMP}\"\n");
}
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/statements/ruby/InstallRubyGemsTest.java
----------------------------------------------------------------------
diff --git a/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/statements/ruby/InstallRubyGemsTest.java b/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/statements/ruby/InstallRubyGemsTest.java
index 4733ba3..8efa2b1 100644
--- a/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/statements/ruby/InstallRubyGemsTest.java
+++ b/scriptbuilder/src/test/java/org/jclouds/scriptbuilder/statements/ruby/InstallRubyGemsTest.java
@@ -87,10 +87,10 @@ public class InstallRubyGemsTest {
private static String installRubyGems(String version) {
String script = "if ! hash gem 2>/dev/null; then\n"
+ "(\n"
- + "mkdir /tmp/$$\n"
+ + "export TAR_TEMP=\"$(mktemp -d)\"\n"
+ "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-"
- + version + ".tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)\n" + "mkdir -p /tmp/rubygems\n"
- + "mv /tmp/$$/*/* /tmp/rubygems\n" + "rm -rf /tmp/$$\n" + "cd /tmp/rubygems\n"
+ + version + ".tgz |(mkdir -p \"${TAR_TEMP}\" &&cd \"${TAR_TEMP}\" &&tar -xpzf -)\n" + "mkdir -p /tmp/rubygems\n"
+ + "mv \"${TAR_TEMP}\"/*/* /tmp/rubygems\n" + "rm -rf \"${TAR_TEMP}\"\n" + "cd /tmp/rubygems\n"
+ "ruby setup.rb --no-format-executable\n" //
+ "rm -fr /tmp/rubygems\n" + //
")\n" + //
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/scriptbuilder/src/test/resources/test_install_rubygems.sh
----------------------------------------------------------------------
diff --git a/scriptbuilder/src/test/resources/test_install_rubygems.sh b/scriptbuilder/src/test/resources/test_install_rubygems.sh
index c9363d2..169250c 100644
--- a/scriptbuilder/src/test/resources/test_install_rubygems.sh
+++ b/scriptbuilder/src/test/resources/test_install_rubygems.sh
@@ -1,10 +1,10 @@
if ! hash gem 2>/dev/null; then
(
-mkdir /tmp/$$
-curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)
+export TAR_TEMP="$(mktemp -d)"
+curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /tmp/rubygems
-mv /tmp/$$/*/* /tmp/rubygems
-rm -rf /tmp/$$
+mv "${TAR_TEMP}"/*/* /tmp/rubygems
+rm -rf "${TAR_TEMP}"
cd /tmp/rubygems
ruby setup.rb --no-format-executable
rm -fr /tmp/rubygems
http://git-wip-us.apache.org/repos/asf/jclouds/blob/0cb2a156/scriptbuilder/src/test/resources/test_install_rubygems_scriptbuilder.sh
----------------------------------------------------------------------
diff --git a/scriptbuilder/src/test/resources/test_install_rubygems_scriptbuilder.sh b/scriptbuilder/src/test/resources/test_install_rubygems_scriptbuilder.sh
index 1c4bb5f..3df852e 100644
--- a/scriptbuilder/src/test/resources/test_install_rubygems_scriptbuilder.sh
+++ b/scriptbuilder/src/test/resources/test_install_rubygems_scriptbuilder.sh
@@ -86,11 +86,11 @@ END_OF_JCLOUDS_SCRIPT
trap 'echo $?>$INSTANCE_HOME/rc' 0 1 2 3 15
if ! hash gem 2>/dev/null; then
(
- mkdir /tmp/$$
- curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)
+ export TAR_TEMP="$(mktemp -d)"
+ curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /tmp/rubygems
- mv /tmp/$$/*/* /tmp/rubygems
- rm -rf /tmp/$$
+ mv "${TAR_TEMP}"/*/* /tmp/rubygems
+ rm -rf "${TAR_TEMP}"
cd /tmp/rubygems
ruby setup.rb --no-format-executable
rm -fr /tmp/rubygems