[mysql-5.6][PR] fix: fopen race condition

Summary: libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem. ref: Patch: curl/curl@0c667188e0c6cda615a0 https://curl.se/docs/CVE-2023-32001.html https://hackerone.com/reports/2039870 https://hackerone.com/reports/2039870 Pull Request resolved: facebook#1435 GitHub Author: RashidKhanPathan <[email protected]> Test Plan: Imported from GitHub, without a `Test Plan:` line. Reviewers: saumitr, #mysql_eng Reviewed By: saumitr Subscribers: saumitr Differential Revision: https://phabricator.intern.facebook.com/D54556316
inikep · Mar 16, 2024 · 2cbfa18 · 2cbfa18
1 parent 4465ee2
commit 2cbfa18
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/extra/curl/curl-7.86.0/lib/fopen.c b/extra/curl/curl-7.86.0/lib/fopen.c
@@ -56,13 +56,14 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
   int fd = -1;
   *tempname = NULL;
 
-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
-    /* a non-regular file, fallback to direct fopen() */
-    *fh = fopen(filename, FOPEN_WRITETEXT);
-    if(*fh)
-      return CURLE_OK;
+  *fh = fopen(filename, FOPEN_WRITETEXT);
+  if(!*fh)
+
     goto fail;
-  }
+  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
+    return CURLE_OK;
+  fclose(*fh);
+  *fh = NULL;
 
   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
   if(result)