[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [50481] trunk/blender/source/blender/ blenkernel/intern/blender.c: fix for security flaw CVE-2008-1103, ref BZ #855092 on https://bugzilla.redhat.com

[Campbell Barton]

Revision: 50481
          http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=50481
Author:   campbellbarton
Date:     2012-09-08 23:26:15 +0000 (Sat, 08 Sep 2012)
Log Message:
-----------
fix for security flaw CVE-2008-1103, ref BZ #855092 on https://bugzilla.redhat.com

patch provided by Jochen Schmitt, made some minor edits.

Modified Paths:
--------------
    trunk/blender/source/blender/blenkernel/intern/blender.c

Modified: trunk/blender/source/blender/blenkernel/intern/blender.c
===================================================================
--- trunk/blender/source/blender/blenkernel/intern/blender.c	2012-09-08 23:07:53 UTC (rev 50480)
+++ trunk/blender/source/blender/blenkernel/intern/blender.c	2012-09-08 23:26:15 UTC (rev 50481)
@@ -715,8 +715,9 @@
 {
 	UndoElem *uel;
 	MemFileChunk *chunk;
+	char str[FILE_MAX];
+	const int flag = O_BINARY + O_WRONLY + O_CREAT + O_TRUNC + O_EXCL;
 	int file;
-	char str[FILE_MAX];
 
 	if ((U.uiflag & USER_GLOBALUNDO) == 0) {
 		return;
@@ -736,9 +737,18 @@
 	/* save the undo state as quit.blend */
 	BLI_make_file_string("/", str, BLI_temporary_dir(), "quit.blend");
 
+	/* first try create the file, if it exists call without 'O_CREAT',
+	 * to avoid writing to a symlink - use 'O_EXCL' (CVE-2008-1103) */
 	errno = 0;
-	file = BLI_open(str, O_BINARY + O_WRONLY + O_CREAT + O_TRUNC, 0666);
+	file = BLI_open(str, flag, 0666);
 	if (file == -1) {
+		if (errno == EEXIST) {
+			errno = 0;
+			file = BLI_open(str, flag & ~O_CREAT, 0666);
+		}
+	}
+
+	if (file == -1) {
 		fprintf(stderr, "Unable to save '%s': %s\n",
 		        str, errno ? strerror(errno) : "Unknown error opening file");
 		return;