Re: Fwd: temporary file creation vulnerability in Redis

[Michael Samuel <mik () miknet net>]

Hi,

On 23 February 2014 07:35, Matthew Hall <mhall () mhcomputing net> wrote:

>    641      snprintf(tmpfile,256,"temp-%d.rdb", (int) getpid());
>    642      fp =3D fopen(tmpfile,"w");
> ...
>    699      if (rename(tmpfile,filename) =3D=3D -1) {
This looks like the standard pattern for atomic file writing.  The temp
file would
probably be in the same directory as the data file, since cross-device
rename()
doesn't work.

This class of vulnerability relies on the fact that other users have write
access
to the directory that the tempfile is written to.

Regards,
  Michael