develooper Front page | perl.perl5.porters | Postings from February 2004

Re: [perl #15063] /tmp issues

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
February 1, 2004 13:23
Subject:
Re: [perl #15063] /tmp issues
Message ID:
20040201211816.GC25547@fdisolutions.com
On Sun, Feb 01, 2004 at 11:40:05PM +0300, Solar Designer wrote:
> On Sun, Feb 01, 2004 at 03:41:34PM +0000, Dave Mitchell wrote:
> > lib/CGI.pm
> >     I didn't apply this!
> > 
> >     +# XXX: The temporary file handling implemented in here is crap.  It should
> >     +# be re-done making use of File::Temp.
> 
> OK, but it does need to be re-worked!  The current code is insecure.
> 
> I don't think it can be fixed without changing user-visible interfaces,
> unfortunately.

I'm hoping that will be Someone Else's Problem.

> 
> > lib/CPAN.pm    
> >     didn't apply this:
> > 
> >      # If more accuracy is wanted/needed, Chris Leach sent me this patch...
> >      
> >       # > *** /install/perl/live/lib/CPAN.pm-	Wed Sep 24 13:08:48 1997
> >     - # > --- /tmp/cp	Wed Sep 24 13:26:40 1997
> >     + # > --- cp	Wed Sep 24 13:26:40 1997
> 
> OK, although not having "/tmp" there would save me and others a few
> seconds when checking subsequent versions of Perl with grep.

I suspect that whole patch-in-a-comment can probably be removed, judging
by its date.

> > utils/perlbug.PL
> > 
> >     This is designed to run on old 5.005 syststems, and as such it can't
> >     rely on File::Temp, so I didn't apply this one.
> 
> Hmm.  Perhaps I am missing something, but why does the version of
> perlbug included in recent versions of Perl need to work with some
> other version?  The unpatched perlbug has a race (a security hole).

Because someone trying but failing to install a newer version of
Perl on a system can do

	/usr/bin/old-working-perl newperl-installdir/bin/perlbug ...

But yes, it needs fixing somehow.

-- 
"Foul and greedy Dwarf - you have eaten the last candle."
    -- "Hordes of the Things", BBC Radio.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About