fix symlink vulnerability

a38e1fe0 · Őry Máté · 682c53d2 · a38e1fe0
Commit a38e1fe0 authored Jul 24, 2014 by Őry Máté
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

notify.py
+21 -0

No files found.
--- a/notify.py
+++ b/notify.py
@@ -75,6 +75,10 @@ def notify(url):
    olddisplay = os.environ.get("DISPLAY")
    try:
        file_path = os.path.join(get_temp_dir(), file_name)
+        if file_already_exists(file_path):
+            os.remove(file_path)
+            if file_already_exists(file_path):
+                raise Exception("Couldn't create file %s as new" % file_path)
        with open(file_path, "w") as f:
            json.dump(url, f)

@@ -94,6 +98,23 @@ def notify(url):
        os.environ["DISPLAY"] = olddisplay


+def file_already_exists(name):
+    """Return whether file already exists, create it if not.
+
+    Other errors are silently ignored as the file will be reopened anyways.
+    Creating it is needed to avoid race condition.
+    """
+
+    try:
+        fd = os_open(name, O_CREAT | O_EXCL)
+    except OSError as e:
+        if e.errno == EEXIST:
+            return True
+    else:
+        close(fd)
+    return False
+
+
 def search_display():
    """Search a valid DISPLAY env var in processes
    """