use mktemp(1) to generate temporary file names

Fix for CVE-2014-2906. Closes a race condition in funced which would allow execution of arbitrary code; closes a race condition in psub which would allow alternation of the data stream. Note that `psub -f` does not work (fish-shell#1040); a fix should be committed separately for ease of maintenance.
jdx · Apr 27, 2014 · c4fec63 · c4fec63
1 parent f5854f7
commit c4fec63
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 13 deletions.
diff --git a/share/functions/funced.fish b/share/functions/funced.fish
@@ -81,11 +81,7 @@ function funced --description 'Edit function definition'
         return 0
     end
 
-    set -q TMPDIR; or set -l TMPDIR /tmp
-    set -l tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-    while test -f $tmpname
-        set tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-    end
+    set tmpname (mktemp -t fish_funced.XXXXXXXXXX)
 
     if functions -q -- $funcname
         functions -- $funcname > $tmpname

diff --git a/share/functions/psub.fish b/share/functions/psub.fish
@@ -45,21 +45,16 @@ function psub --description "Read from stdin into a file and output the filename
 		return
 	end
 
-	# Find unique file name for writing output to
-	while true
-		set filename /tmp/.psub.(echo %self).(random);
-		if not test -e $filename
-			break;
-		end
-	end
-
 	if test use_fifo = 1
 		# Write output to pipe. This needs to be done in the background so
 		# that the command substitution exits without needing to wait for
 		# all the commands to exit
+                set dir (mktemp -d /tmp/.psub.XXXXXXXXXX); or return
+                set filename $dir/psub.fifo
 		mkfifo $filename
 		cat >$filename &
 	else
+                set filename (mktemp /tmp/.psub.XXXXXXXXXX)
 		cat >$filename
 	end