From b02369135e1dbdde99f72d9bea685e17ccfcce91 Mon Sep 17 00:00:00 2001 From: ThatTotallyRealMyth <106909154+ThatTotallyRealMyth@users.noreply.github.com> Date: Thu, 19 Mar 2026 09:40:57 +1100 Subject: [PATCH] ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory. The ast_tsconvert.py script called by ast_loggrabber is now installed in a temporary directory that isn't world readable or writable. Resolves: #GHSA-xgj6-2gc5-5x9c --- contrib/scripts/ast_loggrabber | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/contrib/scripts/ast_loggrabber b/contrib/scripts/ast_loggrabber index 0683dfd991..90beaaa761 100755 --- a/contrib/scripts/ast_loggrabber +++ b/contrib/scripts/ast_loggrabber @@ -216,17 +216,18 @@ fi # Timestamp to use for output files df=${tarball_uniqueid:-$(${DATEFORMAT})} -# Extract the Python timestamp conver script from the end of this -# script and save it to /tmp/.ast_tsconvert.py - -install -m 0600 /dev/stdin /tmp/.ast_tsconvert.py < <(sed '1,/^#@@@SCRIPTSTART@@@/ d' "$0") - tmpdir=$(mktemp -d) if [ -z "$tmpdir" ] ; then echo "${prog}: Unable to create temporary directory." exit 1 fi -trap "rm -rf $tmpdir /tmp/.ast_tsconvert.py" EXIT + +# Extract the Python timestamp conver script from the end of this +# script and save it to the temporary directory + +install -m 0600 /dev/stdin "$tmpdir/.ast_tsconvert.py" < <(sed '1,/^#@@@SCRIPTSTART@@@/ d' "$0") + +trap "rm -rf $tmpdir" EXIT tardir=asterisk-${df}.logfiles # Now iterate over the logfiles @@ -237,7 +238,7 @@ for i in ${!LOGFILES[@]} ; do mkdir -p "$destdir" 2>/dev/null || : if [ -n "$LOG_DATEFORMAT" ] ; then echo "Converting $lf" - cat "$lf" | python /tmp/.ast_tsconvert.py --format="$LOG_DATEFORMAT" --timezone="$LOG_TIMEZONE" > "${destfile}" + cat "$lf" | python "$tmpdir/.ast_tsconvert.py" --format="$LOG_DATEFORMAT" --timezone="$LOG_TIMEZONE" > "${destfile}" else echo "Copying $lf" cp "$lf" "${destfile}"