develooper Front page | perl.perl5.porters | Postings from June 2008

[rt.cpan.org #37031] Re: File::Path::rmtree makes symlink targets world-writable

Thread Previous
From:
david@landgren.net via RT
Date:
June 24, 2008 08:58
Subject:
[rt.cpan.org #37031] Re: File::Path::rmtree makes symlink targets world-writable
Message ID:
rt-3.6.HEAD-20362-1214251047-905.37031-4-0@rt.cpan.org
Mon Jun 23 15:57:25 2008: Request 37031 was acted upon.
Transaction: Ticket created by david@landgren.net
       Queue: File-Path
     Subject: Re: File::Path::rmtree makes symlink targets world-writable
   Broken in: (no value)
    Severity: (no value)
       Owner: Nobody
  Requestors: david@landgren.net
      Status: new
 Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=37031 >


Niko Tyni wrote, some time around 21/06/2008 08:58:
> Hi p5p,
> 
> as reported in <http://bugs.debian.org/487319> and
> <http://rt.cpan.org/Public/Bug/Display.html?id=36982>, when
> File::Path::rmtree() encounters a symlink, it will change the permissions
> of the link target to the permissions of the link, usually 0777. This is
> obviously a Bad Thing with security implications. The 'safe' parameter
> doesn't seem to help here.
> 
> There's a proposed patch by Ben Hutchings in the Debian report.  The bug
> is present (at least) in File-Path-2.04, in both 5.10.0 and blead.

Just to follow up for the list (not quite sure how to CC: RT@perl.org 
but I've taken the ticket there), I'll have a fix for this in 2.07. The 
latter is currently stalled for lack of tuits; I've fixed up the new/old 
interface issues for mkpath(), now I just have to do the same for rmtree().

I'm just slightly curious: this problem must have always been present in 
previous versions, the essence of the rmtree() function remains the 
same, I only added an alternate error reporting channel into the code. 
If someone can find the time to prove or disprove that this behaviour 
has crept in since 2.x it would be of great help. That will allow me to 
figure out if code needs to be added or removed/reverted...

Thanks,
David
-- 
stubborn tiny lights vs. clustering darkness forever ok?


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About