develooper Front page | perl.perl5.porters | Postings from February 2000

Re: Perl's alleged tempfile vulnerabilities on BUGTRAQ

Thread Previous
Hank Leininger
February 5, 2000 16:12
Re: Perl's alleged tempfile vulnerabilities on BUGTRAQ
Message ID:
On 2000-02-04, Tom Christiansen <> wrote:

[big snip]
> There *is* one more thing we might be able to do, one that's a bit
> more proactive.  We might augment Perl's open function so that it
> would emit a warning when run with warnings[FN#2] and/or that it
> would raise an exception when run in taint mode[FN#3].

> This would mean checking for using the perilously simplistic
> open(FH, ">filename") style of open (which, being fopen(path, "w"),
> is really O_TRUNC|O_CREAT not O_EXCL|O_CREAT) on a file whose name
> looks like a tempfile.

> Now, just how could you ever tell that?  Well, one could watch for
> "$$" at the end of the filename.  Maybe this would be only in
> conjunction with a "/tmp/" component, but not necessarily rooted
> at slash, so that /usr/tmp and /var/tmp would show up, too.

A generalized check which doesn't require hard-coded paths, might be
paranoid enough, and has a *chance* of being portable to sub-UNIX OSs
could be: is the directory the file is being created in world-writable?
If so, emit warning-of-choice.

This is probably breakable by racing the bottom level dir.  But it might
be worth thinking more about.

Hank Leininger <> 

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About