fix CVE-2019-11244: kubectl --http-cache=<world-accessible dir> creates world-writeable cached schema files

Kubernetes-commit: f228ae3364729caed59087e23c42868454bc3ff4
2025-09-24 20:47:56 +00:00 · 2019-05-14 14:49:38 +08:00
parent e10a9b6eaa
commit 790a4f6363
4 changed files with 84 additions and 2 deletions
--- a/discovery/cached/disk/cached_discovery.go
+++ b/discovery/cached/disk/cached_discovery.go
@@ -172,7 +172,7 @@ func (d *CachedDiscoveryClient) getCachedFile(filename string) ([]byte, error) {
 }

 func (d *CachedDiscoveryClient) writeCachedFile(filename string, obj runtime.Object) error {
-	if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(filename), 0750); err != nil {
 		return err
 	}

@@ -191,7 +191,7 @@ func (d *CachedDiscoveryClient) writeCachedFile(filename string, obj runtime.Obj
 		return err
 	}

-	err = os.Chmod(f.Name(), 0755)
+	err = os.Chmod(f.Name(), 0660)
 	if err != nil {
 		return err
 	}