Skip to content
Snippets Groups Projects
Commit 32e648f9 authored by Olav Morken's avatar Olav Morken
Browse files

statistics:logcleaner: Fix insecure open of output file. 

The logcleaner script by default creates the output file in /tmp.
Another user with access to the machine can create a symbolic link with
the same name as the output file. This will make the user running the
logcleaner script overwrite another file on the system.

This patch fixes this by making sure that we don't open existing files.

Thanks to Thijs Kinkhorst <thijs@uvt.nl> for reporting this bug.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2083 44740490-163a-0410-bde0-09ae8108e29a
parent 0d5557c6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/statistics/lib/LogCleaner.php
+ 7
1
View file @ 32e648f9
...@@ -125,7 +125,13 @@ class sspmod_statistics_LogCleaner { ...@@ -125,7 +125,13 @@ class sspmod_statistics_LogCleaner {
$file = fopen($this->inputfile, 'r'); $file = fopen($this->inputfile, 'r');
#$logfile = file($this->inputfile, FILE_IGNORE_NEW_LINES ); #$logfile = file($this->inputfile, FILE_IGNORE_NEW_LINES );
$outfile = fopen($outputfile, 'w'); /* Open the output file in a way that guarantees that we will not overwrite a random file. */
if (file_exists($outputfile)) {
/* Delete existing output file. */
unlink($outputfile);
}
$outfile = fopen($outputfile, 'x'); /* Create the output file. */
$logparser = new sspmod_statistics_LogParser( $logparser = new sspmod_statistics_LogParser(
$this->statconfig->getValue('datestart', 0), $this->statconfig->getValue('datelength', 15), $this->statconfig->getValue('offsetspan', 44) $this->statconfig->getValue('datestart', 0), $this->statconfig->getValue('datelength', 15), $this->statconfig->getValue('offsetspan', 44)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment