From 693ceacc86786003dbe165fda985dd1f4911bd07 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Sat, 8 Sep 2012 23:26:15 +0000
Subject: fix for security flaw CVE-2008-1103, ref BZ #855092 on
 https://bugzilla.redhat.com

patch provided by Jochen Schmitt, made some minor edits.
---
 source/blender/blenkernel/intern/blender.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'source/blender/blenkernel/intern/blender.c')

diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
index a9cb7275b7d..d5c2baea6fb 100644
--- a/source/blender/blenkernel/intern/blender.c
+++ b/source/blender/blenkernel/intern/blender.c
@@ -715,8 +715,9 @@ void BKE_undo_save_quit(void)
 {
 	UndoElem *uel;
 	MemFileChunk *chunk;
-	int file;
 	char str[FILE_MAX];
+	const int flag = O_BINARY + O_WRONLY + O_CREAT + O_TRUNC + O_EXCL;
+	int file;
 
 	if ((U.uiflag & USER_GLOBALUNDO) == 0) {
 		return;
@@ -736,8 +737,17 @@ void BKE_undo_save_quit(void)
 	/* save the undo state as quit.blend */
 	BLI_make_file_string("/", str, BLI_temporary_dir(), "quit.blend");
 
+	/* first try create the file, if it exists call without 'O_CREAT',
+	 * to avoid writing to a symlink - use 'O_EXCL' (CVE-2008-1103) */
 	errno = 0;
-	file = BLI_open(str, O_BINARY + O_WRONLY + O_CREAT + O_TRUNC, 0666);
+	file = BLI_open(str, flag, 0666);
+	if (file == -1) {
+		if (errno == EEXIST) {
+			errno = 0;
+			file = BLI_open(str, flag & ~O_CREAT, 0666);
+		}
+	}
+
 	if (file == -1) {
 		fprintf(stderr, "Unable to save '%s': %s\n",
 		        str, errno ? strerror(errno) : "Unknown error opening file");
-- 
cgit v1.2.3