Check that the directory does not exist.

Otherwise, it could allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names. Reported as CVE-2014-2893 ( https://security-tracker.debian.org/tracker/CVE-2014-2893 ) Found by Jakub Wilk llvm-svn: 211051
author: Sylvestre Ledru <sylvestre@debian.org> 2014-06-16 20:31:15 +0000
committer: Sylvestre Ledru <sylvestre@debian.org> 2014-06-16 20:31:15 +0000
commit: c7bc52596f5a978feada4f2f8cbc0639f7b06b2c (patch)
tree: 5ebf356ef5d2630f98fdb507aff3022234957c4a /clang/tools/scan-build
parent: 675d279af405d594552613c40a1507516039c694 (diff)
download: bcm5719-llvm-c7bc52596f5a978feada4f2f8cbc0639f7b06b2c.tar.gz
bcm5719-llvm-c7bc52596f5a978feada4f2f8cbc0639f7b06b2c.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/clang/tools/scan-build/scan-build b/clang/tools/scan-build/scan-build
index 862bd3a4ca3..b740cd21e6b 100755
--- a/clang/tools/scan-build/scan-build
+++ b/clang/tools/scan-build/scan-build
@@ -206,6 +206,12 @@ sub GetHTMLRunDir {
   else {
     $NewDir = "$Dir/$DateString-$RunNumber";
   }
+
+  # Make sure that the directory does not exist in order to avoid hijack.
+  if (-d $NewDir) {
+      DieDiag("The directory '$NewDir' already exists.\n");
+  }
+
   mkpath($NewDir);
   return $NewDir;
 }
author	Sylvestre Ledru <sylvestre@debian.org>	2014-06-16 20:31:15 +0000
committer	Sylvestre Ledru <sylvestre@debian.org>	2014-06-16 20:31:15 +0000
commit	c7bc52596f5a978feada4f2f8cbc0639f7b06b2c (patch)
tree	5ebf356ef5d2630f98fdb507aff3022234957c4a /clang/tools/scan-build
parent	675d279af405d594552613c40a1507516039c694 (diff)
download	bcm5719-llvm-c7bc52596f5a978feada4f2f8cbc0639f7b06b2c.tar.gz bcm5719-llvm-c7bc52596f5a978feada4f2f8cbc0639f7b06b2c.zip