From 0d5557c60453fcfdf630165d4bc384d2678e7dce Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 8 Jan 2010 08:27:30 +0000
Subject: [PATCH] InfoCard: Fix insecure file creation.

The InfoCard modules stores files in /tmp, but does this in a way that
allows another user with local access to the machine to overwrite any
file the webserver has access to.

This patch fixes it by moving the files into the simpleSAMLphp temp
directory.

Thanks to Thijs Kinkhorst <thijs@uvt.nl> for reporting this bug.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2082 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/InfoCard/www/STS_card_issuer.php | 4 ++--
 modules/InfoCard/www/prueba.php          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/InfoCard/www/STS_card_issuer.php b/modules/InfoCard/www/STS_card_issuer.php
index ca2593379..8847f5bdb 100755
--- a/modules/InfoCard/www/STS_card_issuer.php
+++ b/modules/InfoCard/www/STS_card_issuer.php
@@ -126,7 +126,7 @@ function enable_download($username, $cardid){
 	$time = 'x'.time(); //Cannot start with a number	
 	
 	$uuid = uniqid();
-	$handle = fopen("/tmp/$uuid",'w');
+	$handle = fopen(SimpleSAML_Utilities::getTempDir() . "/$uuid",'w');
 	if ($handle) {
 		fwrite($handle, strlen($username).$username.strlen($cardid).$cardid.strlen($time).$time);
 		fclose ($handle);
@@ -152,7 +152,7 @@ function disable_download($uuid){
 */
 function is_card_enabled($uuid, $delivery_time){
 	$now = time();	
-	$filename = "/tmp/$uuid";
+	$filename = SimpleSAML_Utilities::getTempDir() . "/$uuid";
 	
 	//File check
 	if (!file_exists($filename)) return false; //File doesn't exist
diff --git a/modules/InfoCard/www/prueba.php b/modules/InfoCard/www/prueba.php
index 8376b34d0..34b8d27d4 100755
--- a/modules/InfoCard/www/prueba.php
+++ b/modules/InfoCard/www/prueba.php
@@ -33,7 +33,7 @@ if ($result[0]){
 pg_close($dbconn);
 
 
-// $handle = fopen('/tmp/prueba2.txt','w');
+// $handle = fopen(SimpleSAML_Utilities::getTempDir() . '/prueba2.txt','w');
 // fwrite($handle, 'prueba');
 // fclose ($handle);
 
-- 
GitLab