Project

General

Profile

Actions

Misc #18082

open

FileUtils.remove_entry_secure has inconsistent document

Added by pocke (Masataka Kuwabara) 2 months ago.

Status:
Open
Priority:
Normal
Assignee:
-
[ruby-core:104956]

Description

FileUtils.remove_entry_secure and FileUtils.rm_r have inconsistency about the vulnerability condition the in the documentations.

remove_entry_secure document:
https://github.com/ruby/ruby/blob/6a9bfa4d9387b9d8f07f43f4546437be57f9e27c/lib/fileutils.rb#L660-L664

#rm_r causes security hole when:

  • Parent directory is world writable (including /tmp).
  • Removing directory tree includes world writable directory.
  • The system has symbolic link.

rm_r document:
https://github.com/ruby/ruby/blob/6a9bfa4d9387b9d8f07f43f4546437be57f9e27c/lib/fileutils.rb#L614-L618

WARNING: This method causes local vulnerability
if one of parent directories or removing directory tree are world
writable (including /tmp, whose permission is 1777), and the current
process has strong privilege such as Unix super user (root), and the
system has symbolic link.

The differences are following.

  • rm_r describes about strong privilege, but remove_entry_secure doesn't.
  • rm_r describes "one of parent directories OR removing directory tree are world writable", but the conditions are just listed in remove_entry_secure doc, it seems AND condition.

I couldn't understand the prerequisites of the vulnerability from the documents.
I think both documents should describe the same prerequisites.

I don't know what is the right prerequisites, so I didn't make a patch.

No data to display

Actions

Also available in: Atom PDF