Front page | perl.perl5.porters |
Postings from February 2004
On Sun, Feb 01, 2004 at 11:40:05PM +0300, Solar Designer wrote:
> On Sun, Feb 01, 2004 at 03:41:34PM +0000, Dave Mitchell wrote:
> > lib/CGI.pm
> > I didn't apply this!
> >
> > +# XXX: The temporary file handling implemented in here is crap. It should
> > +# be re-done making use of File::Temp.
>
> OK, but it does need to be re-worked! The current code is insecure.
>
> I don't think it can be fixed without changing user-visible interfaces,
> unfortunately.
I'm hoping that will be Someone Else's Problem.
>
> > lib/CPAN.pm
> > didn't apply this:
> >
> > # If more accuracy is wanted/needed, Chris Leach sent me this patch...
> >
> > # > *** /install/perl/live/lib/CPAN.pm- Wed Sep 24 13:08:48 1997
> > - # > --- /tmp/cp Wed Sep 24 13:26:40 1997
> > + # > --- cp Wed Sep 24 13:26:40 1997
>
> OK, although not having "/tmp" there would save me and others a few
> seconds when checking subsequent versions of Perl with grep.
I suspect that whole patch-in-a-comment can probably be removed, judging
by its date.
> > utils/perlbug.PL
> >
> > This is designed to run on old 5.005 syststems, and as such it can't
> > rely on File::Temp, so I didn't apply this one.
>
> Hmm. Perhaps I am missing something, but why does the version of
> perlbug included in recent versions of Perl need to work with some
> other version? The unpatched perlbug has a race (a security hole).
Because someone trying but failing to install a newer version of
Perl on a system can do
/usr/bin/old-working-perl newperl-installdir/bin/perlbug ...
But yes, it needs fixing somehow.
--
"Foul and greedy Dwarf - you have eaten the last candle."
-- "Hordes of the Things", BBC Radio.
Thread Previous
|
Thread Next