fix: remove insecure tpmnam usage

Signed-off-by: Felipe Zipitria <[email protected]>
fzipi · May 23, 2024 · 6944858 · 6944858
1 parent 10b089a
commit 6944858
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 17 deletions.
diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
@@ -129,12 +129,20 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) {
  */
 int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
     apr_status_t rc;
-    apr_file_t *auditlog_lock_name;
-    apr_file_t *geo_lock_name;
-    apr_file_t *dbm_lock_name;
-
+    apr_file_t *auditlog_lock_file = NULL;
+    apr_file_t *geo_lock_file = NULL;
+    apr_file_t *dbm_lock_file = NULL;
+    const char *temp_dir = NULL;
+    char *temp_path_template = NULL;
+    const char *temp_file;
+
+    // get temp path suitable for writing
+    rc = apr_temp_dir_get(&temp_dir, mp);
+    if (rc != APR_SUCCESS) {
+        return -1;
+    }
     // use temp path template for lock files
-    char *path = apr_pstrcat(p, temp_dir, "/modsec-lock-tmp.XXXXXX", NULL);
+    temp_path_template = apr_pstrcat(mp, temp_dir, "/modsec-lock-tmp.XXXXXX", NULL);
 
     msce->auditlog_lock = msce->geo_lock = NULL;
 #ifdef GLOBAL_COLLECTION_LOCK
@@ -152,11 +160,15 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
     curl_global_init(CURL_GLOBAL_ALL);
 #endif
     /* Serial audit log mutext */
-    rc = apr_file_mktemp(&auditlog_lock_name, path, 0, p)
+    rc = apr_file_mktemp(&auditlog_lock_file, temp_path_template, 0, mp);
     if (rc != APR_SUCCESS) {
-        return -1
+        return -1;
+    }
+    rc = apr_file_name_get(&temp_file, auditlog_lock_file);
+    if (rc != APR_SUCCESS) {
+        return -1;
     }
-    rc = apr_global_mutex_create(&msce->auditlog_lock, auditlog_lock_name, APR_LOCK_DEFAULT, mp);
+    rc = apr_global_mutex_create(&msce->auditlog_lock, temp_file, APR_LOCK_DEFAULT, mp);
     if (rc != APR_SUCCESS) {
         return -1;
     }
@@ -175,11 +187,15 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
     }
 #endif /* SET_MUTEX_PERMS */
 
-    rc = apr_file_mktemp(&geo_lock_name, path, 0, p)
+    rc = apr_file_mktemp(&geo_lock_file, temp_path_template, 0, mp);
     if (rc != APR_SUCCESS) {
-        return -1
+        return -1;
+    }
+    rc = apr_file_name_get(&temp_file, geo_lock_file);
+    if (rc != APR_SUCCESS) {
+        return -1;
     }
-    rc = apr_global_mutex_create(&msce->geo_lock, geo_lock_name, APR_LOCK_DEFAULT, mp);
+    rc = apr_global_mutex_create(&msce->geo_lock, temp_file, APR_LOCK_DEFAULT, mp);
     if (rc != APR_SUCCESS) {
         return -1;
     }
@@ -196,11 +212,15 @@ int modsecurity_init(msc_engine *msce, apr_pool_t *mp) {
 #endif /* SET_MUTEX_PERMS */
 
 #ifdef GLOBAL_COLLECTION_LOCK
-    rc = apr_file_mktemp(&dbm_lock_name, path, 0, p)
+    rc = apr_file_mktemp(&dbm_lock_file, temp_path_template, 0, mp);
     if (rc != APR_SUCCESS) {
-        return -1
+        return -1;
+    }
+    rc = apr_file_name_get(&temp_file, dbm_lock_file);
+    if (rc != APR_SUCCESS) {
+        return -1;
     }
-    rc = apr_global_mutex_create(&msce->dbm_lock, dbm_lock_name, APR_LOCK_DEFAULT, mp);
+    rc = apr_global_mutex_create(&msce->dbm_lock, temp_file, APR_LOCK_DEFAULT, mp);
     if (rc != APR_SUCCESS) {
         return -1;
     }

diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
@@ -52,6 +52,7 @@ typedef struct msc_parm msc_parm;
 #include "apr_md5.h"
 #include "apr_strings.h"
 #include "apr_hash.h"
+#include "apr_file_io.h"
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
@@ -135,10 +136,10 @@ typedef struct msc_parm msc_parm;
 
 #define FATAL_ERROR "ModSecurity: Fatal error (memory allocation or unexpected internal error)!"
 
-static char auditlog_lock_name[L_tmpnam];
-static char geo_lock_name[L_tmpnam];
+static char auditlog_lock_name[APR_PATH_MAX];
+static char geo_lock_name[APR_PATH_MAX];
 #ifdef GLOBAL_COLLECTION_LOCK
-static char dbm_lock_name[L_tmpnam];
+static char dbm_lock_name[APR_PATH_MAX];
 #endif
 
 extern DSOLOCAL char *new_server_signature;