From 292cf7c649c4fa6cc63ed6a1ae9368d1dc70588d Mon Sep 17 00:00:00 2001
From: Martin Holst Swende <martin@swende.se>
Date: Fri, 30 Aug 2019 10:39:29 +0200
Subject: [PATCH] eth: disallow overwrite files via admin.exportChain

---
 eth/api.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/eth/api.go b/eth/api.go
index 98c2f5874..f8c51c09b 100644
--- a/eth/api.go
+++ b/eth/api.go
@@ -168,6 +168,11 @@ func NewPrivateAdminAPI(eth *Ethereum) *PrivateAdminAPI {
 
 // ExportChain exports the current blockchain into a local file.
 func (api *PrivateAdminAPI) ExportChain(file string) (bool, error) {
+	if _, err := os.Stat(file); err == nil {
+		// File already exists. Allowing overwrite could be a DoS vecotor,
+		// since the 'file' may point to arbitrary paths on the drive
+		return false, errors.New("location would overwrite an existing file")
+	}
 	// Make sure we can create the file to export into
 	out, err := os.OpenFile(file, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.ModePerm)
 	if err != nil {
-- 
GitLab