Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

.

maziggy 1 month ago
parent
a58ab8b8db
commit
18dceb3c32
2 changed files with 7 additions and 1 deletions
Split View Show Diff Stats
  1. 3 0
      CHANGELOG.md
  2. 4 1
      backend/app/api/routes/settings.py

+ 3 - 0
CHANGELOG.md
View File 

@@ -4,6 +4,9 @@ All notable changes to Bambuddy will be documented in this file.
 
 
 ## [0.2.3b4] - Unreleased
 
 
+### Fixed
 
+- **Insecure Temp File Creation in Backup Export** — The manual backup download endpoint used `tempfile.mktemp()`, which is vulnerable to a symlink race condition (CWE-377). Replaced with `tempfile.mkstemp()` which atomically creates the file, eliminating the TOCTOU window.
 
+
 
 
 ## [0.2.3b3] - 2026-04-12

+ 4 - 1
backend/app/api/routes/settings.py
View File 

@@ -1,5 +1,6 @@
 
 import io
 
 import logging
 
+import os
 
 import zipfile
 
 from datetime import datetime
 
 from pathlib import Path
 
@@ -457,7 +458,9 @@ async def create_backup_zip(output_path: Path | None = None) -> tuple[Path, str]
 
         if output_path is not None:
 
             zip_file = output_path / filename
 
         else:
 
-            zip_file = Path(tempfile.mktemp(suffix=".zip"))  # noqa: S306
 
+            fd, tmp = tempfile.mkstemp(suffix=".zip")
 
+            os.close(fd)
 
+            zip_file = Path(tmp)
 
 
         with zipfile.ZipFile(zip_file, "w", zipfile.ZIP_DEFLATED) as zf:
 
             for file_path in temp_path.rglob("*"):