develooper Front page | perl.perl5.porters | Postings from June 2008

Re: File::Path::rmtree makes symlink targets world-writable

Thread Previous | Thread Next
From:
David Landgren
Date:
June 23, 2008 12:56
Subject:
Re: File::Path::rmtree makes symlink targets world-writable
Message ID:
485FFFF1.9030904@landgren.net
Niko Tyni wrote, some time around 21/06/2008 08:58:
> Hi p5p,
> 
> as reported in <http://bugs.debian.org/487319> and
> <http://rt.cpan.org/Public/Bug/Display.html?id=36982>, when
> File::Path::rmtree() encounters a symlink, it will change the permissions
> of the link target to the permissions of the link, usually 0777. This is
> obviously a Bad Thing with security implications. The 'safe' parameter
> doesn't seem to help here.
> 
> There's a proposed patch by Ben Hutchings in the Debian report.  The bug
> is present (at least) in File-Path-2.04, in both 5.10.0 and blead.

Just to follow up for the list (not quite sure how to CC: RT@perl.org 
but I've taken the ticket there), I'll have a fix for this in 2.07. The 
latter is currently stalled for lack of tuits; I've fixed up the new/old 
interface issues for mkpath(), now I just have to do the same for rmtree().

I'm just slightly curious: this problem must have always been present in 
previous versions, the essence of the rmtree() function remains the 
same, I only added an alternate error reporting channel into the code. 
If someone can find the time to prove or disprove that this behaviour 
has crept in since 2.x it would be of great help. That will allow me to 
figure out if code needs to be added or removed/reverted...

Thanks,
David
-- 
stubborn tiny lights vs. clustering darkness forever ok?

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About