Scratch

chmod is broken and insecure

Bug #1021725 reported by Sergey "Shnatsel" Davidoff on 2012-07-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Scratch	Fix Released	Critical	Mario Guerriero	Scratch 1.1.1

Bug Description

I appreciate attempting to make some files executable on initial save, but the way it's currently implemented is really ugly. You're using a wrapper to system() syscall instead of using chmod() UNIX function. Besides being broken (here's what I get in console on saving:
"chmod: missing operand after `+x'
Try `chmod --help' for more information." ) it presents a potential security vulnerability.
Please use chmod() unix function instead.

Sergey "Shnatsel" Davidoff (shnatsel) on 2012-07-06

Changed in scratch:
milestone:	none → luna-beta1
summary:	- chmod is broken and ugly + chmod is broken and insecure

Revision history for this message

Mario Guerriero (mefrio-g) wrote on 2012-07-06:

yeah it is a very very ugly implementation

Changed in scratch:
status:	New → Confirmed

Revision history for this message

xapantu (xapantu) wrote on 2012-07-06:

It doesn't need to be private...

Revision history for this message

Mario Guerriero (mefrio-g) wrote on 2012-07-06:

Yes it can be public

Changed in scratch:
assignee:	nobody → Mario Guerriero (mefrio-g)
security vulnerability:	yes → no
visibility:	private → public
Changed in scratch:
status:	Confirmed → Fix Committed

Revision history for this message

Sergey "Shnatsel" Davidoff (shnatsel) wrote on 2012-07-06:

Setting permissions to fixed permissive 777 is not good enough AFAIK. By default files get 664 permissions, so what you want to set is probably 775

Danielle Foré (danrabbit) on 2012-08-03

Changed in scratch:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.