diff -up pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 pyxdg-0.25/xdg/BaseDirectory.py

--- pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624	2014-12-04 11:49:53.681654931 -0500

+++ pyxdg-0.25/xdg/BaseDirectory.py	2014-12-04 11:52:45.831522703 -0500

@@ -25,7 +25,7 @@ Typical usage:

 Note: see the rox.Options module for a higher-level API for managing options.

 """

-import os

+import os, stat

 _home = os.path.expanduser('~')

 xdg_data_home = os.environ.get('XDG_DATA_HOME') or \

@@ -131,15 +131,29 @@ def get_runtime_dir(strict=True):

         import getpass

         fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()

+        create = False

         try:

-            os.mkdir(fallback, 0o700)

+            # This must be a real directory, not a symlink, so attackers can't

+            # point it elsewhere. So we use lstat to check it.

+            st = os.lstat(fallback)

         except OSError as e:

             import errno

-            if e.errno == errno.EEXIST:

-                # Already exists - set 700 permissions again.

-                import stat

-                os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)

-            else: # pragma: no cover

+            if e.errno == errno.ENOENT:

+                create = True

+            else:

                 raise

+        else:

+            # The fallback must be a directory

+            if not stat.S_ISDIR(st.st_mode):

+                os.unlink(fallback)

+                create = True

+            # Must be owned by the user and not accessible by anyone else

+            elif (st.st_uid != os.getuid()) \

+              or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):

+                os.rmdir(fallback)

+                create = True

+

+        if create:

+            os.mkdir(fallback, 0o700)

         return fallback