Fix CVE-2011-4028: File disclosure vulnerability.

use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Fix CVE-2011-4028: File disclosure vulnerability.
6ba44b91 · Matthieu Herrb · fb84be47 · 6ba44b91
Commit 6ba44b91 authored 13 years ago by Matthieu Herrb
--- a/os/utils.c
+++ b/os/utils.c
@@ -318,7 +318,7 @@ LockServer(void)
      /*
       * Read the pid from the existing file
       */
-      lfd = open(LockFile, O_RDONLY);
+      lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
      if (lfd < 0) {
        unlink(tmp);
        FatalError("Can't read lock file %s\n", LockFile);