Curl fails to preserve file permissions when writing:
CURLOPT_COOKIEJAR
databaseCURLOPT_ALTSVC
databaseCURLOPT_HSTS
databaseInstead the permissions is always reset to 0666 & ~umask if the file is updated.
As a result a file that was before protected against read access by other users becomes other user readable (as long as umask doesnโt have bit 2 set).
Out of these files only the CURLOPT_COOKIEJAR
is likely to contain sensitive information.
In addition curl will replace softlink to the database with locally written database, or if the application is run privileged, specifying "/dev/null"
as a file name can lead to system overwriting the special file and result in inoperable system.
This is CWE-281: Improper Preservation of Permissions
umask 022
install -m 600 /dev/null cookie.db
curl -b cookie.db -c cookie.db https://google.com
ls -l cookie.db
At least for CURLOPT_COOKIEJAR
this vulnerability was introduced in https://github.com/curl/curl/commit/b834890a3fa3f525cd8ef4e99554cdb4558d7e1b - this change was introduced to fix a issue https://github.com/curl/curl/issues/4914
If a file file is created and moved over a the old one, only do this if the file is regular file. Anything else is likely going to end up causing unexpected behaviour, outright failing, or if the user has high enough permissions, damage to the operating system.
Safe cloning of file permissions can only be achieved if the owner / group of the file match the current user (else group permissions might be incorrect). Hence creating a new file and moving it over the old one should IMO only be attempted if the file user and group match that of the previous file.
If a method of creating a new file is still desired, something like this could be attempted to cover the most use cases:
/* If old file is a regular file attempt creating a new file with same ownership */
struct stat st;
if (stat(filename, &st) != -1 && S_ISREG(st.st_mode)) {
FILE *file;
int fd;
struct stat nst;
fd = open(tempstore, O_CREAT | O_EXCL, 0700);
if (fd == -1)
goto fail;
if (fstat(fd, &nst) == -1 ||
nst.st_uid != st.st_uid || nst.st_gid != st.st_gid) {
/* newly created file doesn't have same ownership, we can't proceed safely */
close(fd);
unlink(tempstore);
goto fail; // or perhaps try direct write instead?
}
/* use same mode as old file */
if (fchmod(fd, st.st_mode) == -1) {
close(fd);
unlink(tempstore);
goto fail;
}
file = fdopen(fd, FOPEN_WRITETEXT);
if (!file) {
close(fd);
unlink(tempstore);
goto fail;
}
/* write to file */
/* if successful move file over filename etc */
}
else ย {
/* use direct file write */
}
Leak of sensitive information