[cdesktopenv-devel] security fix for udbToAny.ksh

Sun, 12 Aug 2012 11:33:30 -0700 

Always use mktemp(1) for generating a random filename in a shell script.

>From 5e7ecc7fc1615b2992bfbf8b16d4eaa74023d153 Mon Sep 17 00:00:00 2001
From: Pascal Stumpf <pascal.stu...@cubes.de>
Date: Sun, 12 Aug 2012 20:27:32 +0200
Subject: [PATCH] Do not use the PID as a way of generating a "random"
 filename.

This script did not even check for the file's existence prior to cat'ing
random stuff into it.  Ouch.
---
 cde/admin/IntegTools/dbTools/udbToAny.ksh |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/cde/admin/IntegTools/dbTools/udbToAny.ksh 
b/cde/admin/IntegTools/dbTools/udbToAny.ksh
index 4c26e8b..655b627 100755
--- a/cde/admin/IntegTools/dbTools/udbToAny.ksh
+++ b/cde/admin/IntegTools/dbTools/udbToAny.ksh
@@ -142,7 +142,7 @@ ConvertRoutine()
        ;;
     esac
 
-   cat > /tmp/awk$$ <<EOF
+   cat > $TMPFILE <<EOF
 #
 # The function name "PRTREC" is used by the parsing routines
 # to do the output. By providing a custom output function you
@@ -166,8 +166,8 @@ EOF
    # Create a single awk file for use with the "-f" parameter.
    # IBM's awk only allows one "-f"
    #
-    cat "$UDB_PARSE_LIB" >> /tmp/awk$$
-    [ -z "$CUSTOM_PRINT" ]  || cat "$CUSTOM_PRINT_LIB" >> /tmp/awk$$
+    cat "$UDB_PARSE_LIB" >> $TMPFILE
+    [ -z "$CUSTOM_PRINT" ]  || cat "$CUSTOM_PRINT_LIB" >> $TMPFILE
 
     $AWK -v mailTo="$Administrator" \
         -v action="$DoAction" \
@@ -176,7 +176,7 @@ EOF
         -v UseDefaultBlocks="$UseDefaultBlocks" \
         -v DeBugFile="$DEBUGFILE" \
         -v DeBug="$DEBUGLEVEL" \
-        -f /tmp/awk$$ $*
+        -f $TMPFILE $*
 
 
 #
@@ -185,7 +185,7 @@ EOF
 #       -f "$UDB_PARSE_LIB" \
 #
 
-     rm /tmp/awk$$
+     rm $TMPFILE
 }
 
 #
@@ -246,6 +246,7 @@ typeset UDB_PARSE_LIB="$DBTOOLSRC/udbParseLib.awk"
 typeset CUSTOM_PRINT_LIB=""
 typeset DEBUGFILE="/dev/tty"
 typeset DEBUGLEVEL=0
+typeset TMPFILE=`mktemp /tmp/awkXXXXXXXXXXXXXXXXXXXXX`
 
 if [ $# -gt 2 ]; then 
     while [ $# -gt 0 ]
-- 
1.7.6


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

Reply via email to