CVE-2019-12450: gfile: Limit access to files when copying (d8f8f4d6) · Commits · GNOME / GLib · GitLab

Commit d8f8f4d6 authored May 23, 2019 by

Browse files

gfile: Limit access to files when copying

file_copy_fallback creates new files with default permissions and set the correct permissions after the operation is finished. This might cause that the files can be accessible by more users during the operation than expected. Use G_FILE_CREATE_PRIVATE for the new files to limit access to those files.

Pipeline #83814 passed with stages

in 11 minutes and 48 seconds

• Changes 1
• Pipelines 1

…

…

@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,

out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),

FALSE, NULL,

flags & G_FILE_COPY_BACKUP,

G_FILE_CREATE_REPLACE_DESTINATION,

info,

G_FILE_CREATE_REPLACE_DESTINATION |

G_FILE_CREATE_PRIVATE, info,

cancellable, error);

else

out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),

FALSE, 0, info,

FALSE, G_FILE_CREATE_PRIVATE, info,

cancellable, error);

}

else if (flags & G_FILE_COPY_OVERWRITE)

…

…

@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,

out = (GOutputStream *)g_file_replace (destination,

NULL,

flags & G_FILE_COPY_BACKUP,

G_FILE_CREATE_REPLACE_DESTINATION,

G_FILE_CREATE_REPLACE_DESTINATION |

G_FILE_CREATE_PRIVATE,

cancellable, error);

}

else

{

out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);

out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);

}

if (!out)

…

…

• mentioned in merge request !1134 (merged)

  mentioned in merge request !1134

• mentioned in commit 53f6ede6

  mentioned in commit 53f6ede62819fca7082e7cc1ed89edb799991f9a

• mentioned in commit 56e244ec

  mentioned in commit 56e244ecdf9e9419f52b24858d23a014f32fa5a9

• mentioned in commit b37d628c

  mentioned in commit b37d628c01da0bd61348b3ac73b7a436af008d8d