develooper Front page | perl.perl5.porters | Postings from June 2008

File::Path::rmtree makes symlink targets world-writable

Thread Next
From:
Niko Tyni
Date:
June 21, 2008 12:44
Subject:
File::Path::rmtree makes symlink targets world-writable
Message ID:
20080621065834.GA5578@rebekka
Hi p5p,

as reported in <http://bugs.debian.org/487319> and
<http://rt.cpan.org/Public/Bug/Display.html?id=36982>, when
File::Path::rmtree() encounters a symlink, it will change the permissions
of the link target to the permissions of the link, usually 0777. This is
obviously a Bad Thing with security implications. The 'safe' parameter
doesn't seem to help here.

There's a proposed patch by Ben Hutchings in the Debian report.  The bug
is present (at least) in File-Path-2.04, in both 5.10.0 and blead.
-- 
Niko Tyni   ntyni@debian.org

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About