search

opencadc / vostools

VOSpace command line and FUSE clients
https://www.canfar.net/en/docs/storage
12 stars 18 forks source link

tmp file vuln #42

Open ghost opened 10 years ago

ghost commented 10 years ago

https://pypi.python.org/pypi/vos

vos is a set of python modules and scripts to enable access to VOSpace.

The default installation of vos is tuned for accessing the VOSpace provided by the Canadian Advanced Network For Astronomical Research (CANFAR)

VOSpace is a Distributed Cloud storage service for use in Astronomy.

vos-1.10.4/vos/md5_cache.py

import sqlite3, logging READBUF = 8192

class MD5_Cache:

def __init__(self, cache_db="/tmp/#vos_cached.db#"):
    """Setup the sqlDB that will contain the cache table"""
    self.cache_db = cache_db

    ## initialize the md5Cache db
    sqlConn = sqlite3.connect(self.cache_db)
    with sqlConn:
        sqlConn.execute("create table if not exists md5_cache (fname text PRIMARY KEY NOT NULL , md5 text, st_size int, st_mtime int)")
    ## build cache lookup if doesn't already exists

also posted to oss-security to get a CVE #

ijiraq commented 7 years ago

I wonder how we could correct this. We need a cache that is in a repeatable location on the users file system. Also, the cache should be in the cache directory not in /tmp/.