develooper Front page | perl.perl5.porters | Postings from February 2004

Re: [perl #15063] /tmp issues

Thread Previous | Thread Next
From:
Solar Designer
Date:
February 2, 2004 04:17
Subject:
Re: [perl #15063] /tmp issues
Message ID:
20040201204005.GB984@openwall.com
On Sun, Feb 01, 2004 at 03:41:34PM +0000, Dave Mitchell wrote:
> On Mon, Jan 26, 2004 at 01:22:18AM +0300, Solar Designer wrote:
> > Well, our package has been updated to Perl 5.8.3, and attached to this
> > message you can find the new temporary file handling patch.
> 
> Thanks, applied to bleedperl as change #22255, except for the following:

Thank you!  My comments on the non-applied changes below:

> Many systems don't have a /var/run directory, or it is only writeable by root;
> so in the following files I didn't change the examples from '/tmp/foo'
> to '/var/run/foo'; instead I changed them to just 'foo' or '/some/path/foo'
> as appropriate:
> 
>     ext/DB_File/DB_File.pm
>     ext/Storable/Storable.pm
>     lib/CGI/Cookie.pm
>     pod/perldbmfilter.pod

OK.

> ext/ODBM_File/ODBM_File.xs
>     changed "/nonexistent" to "/non/exist/ent" -less likelyhood of the
>     file actually being created, eg by a bug in the script

OK.

> lib/CGI.pm
>     I didn't apply this!
> 
>     +# XXX: The temporary file handling implemented in here is crap.  It should
>     +# be re-done making use of File::Temp.

OK, but it does need to be re-worked!  The current code is insecure.

I don't think it can be fixed without changing user-visible interfaces,
unfortunately.

> lib/CPAN.pm    
>     didn't apply this:
> 
>      # If more accuracy is wanted/needed, Chris Leach sent me this patch...
>      
>       # > *** /install/perl/live/lib/CPAN.pm-	Wed Sep 24 13:08:48 1997
>     - # > --- /tmp/cp	Wed Sep 24 13:26:40 1997
>     + # > --- cp	Wed Sep 24 13:26:40 1997

OK, although not having "/tmp" there would save me and others a few
seconds when checking subsequent versions of Perl with grep.

> lib/ExtUtils/instmodsh
>     it no longer uses the tmp file it creates, so I just removed the
> 	$tmp = "/tmp/inst.$$"
>     line instead.

Great!

> lib/perl5db.pl
> pod/perldebug.pod
>     rather than changing the tty file from /tmp/perldbtty$$ to
>     /var/run/perldbtty$$, I changed it to .perldbtty$$
>     Note that this is a user-visible change.

OK.

> utils/perlbug.PL
> 
>     This is designed to run on old 5.005 syststems, and as such it can't
>     rely on File::Temp, so I didn't apply this one.

Hmm.  Perhaps I am missing something, but why does the version of
perlbug included in recent versions of Perl need to work with some
other version?  The unpatched perlbug has a race (a security hole).

Thanks again,

-- 
Alexander

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About