gitk: Use mktemp -d to avoid predictable temporary directories

gitk uses a predictable ".gitk-tmp.$PID" pattern when generating a temporary directory. Use "mktemp -d .gitk-tmp.XXXXXX" to harden gitk against someone seeding /tmp with files matching the pid pattern. Signed-off-by: N David Aguilar <davvid@gmail.com> Signed-off-by: N Paul Mackerras <paulus@samba.org>

gitk: Use mktemp -d to avoid predictable temporary directories
gitk uses a predictable ".gitk-tmp.$PID" pattern when generating a temporary directory. Use "mktemp -d .gitk-tmp.XXXXXX" to harden gitk against someone seeding /tmp with files matching the pid pattern. Signed-off-by: N David Aguilar <davvid@gmail.com> Signed-off-by: N Paul Mackerras <paulus@samba.org>
105b5d3f · David Aguilar · Paul Mackerras · c7664f1a · 105b5d3f
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

gitk gitk +2 -1

未找到文件。
--- a/gitk
+++ b/gitk
@@ -3503,7 +3503,8 @@ proc gitknewtmpdir {} {
 	} else {
 	    set tmpdir $gitdir
 	}
-	set gitktmpdir [file join $tmpdir [format ".gitk-tmp.%s" [pid]]]
+	set gitktmpformat [file join $tmpdir ".gitk-tmp.XXXXXX"]
+	set gitktmpdir [exec mktemp -d $gitktmpformat]
 	if {[catch {file mkdir $gitktmpdir} err]} {
 	    error_popup "[mc "Error creating temporary directory %s:" $gitktmpdir] $err"
 	    unset gitktmpdir