# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2020-11-04 13:19:18
# Node ID 6a90b1ebea2ca9a4b3995e5e0f87d9af4571a584
# Parent  3f1e5ec89bfc3908fb876f4880c59551bb63be7a

git: write Git hook files atomically

Make sure we don't follow symlinks or inherit permissions from previously
installed hook.

diff --git a/kallithea/model/scm.py b/kallithea/model/scm.py
--- a/kallithea/model/scm.py
+++ b/kallithea/model/scm.py
@@ -30,6 +30,7 @@ import os
 import posixpath
 import re
 import sys
+import tempfile
 import traceback
 
 import pkg_resources
@@ -702,10 +703,12 @@ class ScmModel(object):
             else:
                 log.debug('writing %s hook file !', h_type)
                 try:
-                    with open(hook_file, 'wb') as f:
-                        f.write(tmpl.replace(b'_TMPL_', safe_bytes(kallithea.__version__)))
-                    os.chmod(hook_file, 0o755)
-                except IOError as e:
+                    fh, fn = tempfile.mkstemp(prefix=hook_file + '.tmp.')
+                    os.write(fh, tmpl.replace(b'_TMPL_', safe_bytes(kallithea.__version__)))
+                    os.close(fh)
+                    os.chmod(fn, 0o755)
+                    os.rename(fn, hook_file)
+                except (OSError, IOError) as e:
                     log.error('error writing hook %s: %s', hook_file, e)