[perl-HTTP-Tiny] Do not use already existing temporary files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



commit 693e0bc81227b929b477a833e5601dbd46ad2fb3
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date:   Wed Nov 27 12:23:39 2013 +0100

    Do not use already existing temporary files

 ...-not-use-already-existing-temporary-files.patch |   45 ++++++++++++++++++++
 perl-HTTP-Tiny.spec                                |    6 +++
 2 files changed, 51 insertions(+), 0 deletions(-)
---
diff --git a/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch b/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
new file mode 100644
index 0000000..2f81f42
--- /dev/null
+++ b/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
@@ -0,0 +1,45 @@
+From 5391d7a3c315afbdfb56d68b729cd20c0c6a893d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
+Date: Wed, 27 Nov 2013 10:58:07 +0100
+Subject: [PATCH 2/2] Do not use already existing temporary files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+mirror() method tries to create a new temporary file as can be
+concluded by using random name.
+
+To prevent from from attacks, one has to make sure the file does not
+exist. This patch creates temporary files with O_CREAT|O_EXCL mode.
+
+Signed-off-by: Petr Písař <ppisar@xxxxxxxxxx>
+---
+ lib/HTTP/Tiny.pm | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
+index 48763ff..04c4858 100644
+--- a/lib/HTTP/Tiny.pm
++++ b/lib/HTTP/Tiny.pm
+@@ -6,6 +6,7 @@ use warnings;
+ our $VERSION = '0.038'; # VERSION
+ 
+ use Carp ();
++use Fcntl ();
+ 
+ 
+ my @attributes;
+@@ -113,8 +114,8 @@ sub mirror {
+         $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime);
+     }
+     my $tempfile = $file . int(rand(2**31));
+-    open my $fh, ">", $tempfile
+-        or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/);
++    sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY
++        or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/);
+     binmode $fh;
+     $args->{data_callback} = sub {
+         print {$fh} $_[0]
+-- 
+1.8.3.1
+
diff --git a/perl-HTTP-Tiny.spec b/perl-HTTP-Tiny.spec
index 4418f00..881443a 100644
--- a/perl-HTTP-Tiny.spec
+++ b/perl-HTTP-Tiny.spec
@@ -9,6 +9,9 @@ Source0:        http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
 # Check for write failure, bug #1031096,
 # <https://github.com/chansen/p5-http-tiny/issues/32>
 Patch0:         HTTP-Tiny-0.038-Croak-on-failed-write-into-a-file.patch
+# Do not use already existing temporary files, bug #1031096,
+# <https://github.com/chansen/p5-http-tiny/issues/32>
+Patch1:         HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.17
@@ -18,6 +21,7 @@ BuildRequires:  perl(warnings)
 BuildRequires:  perl(bytes)
 BuildRequires:  perl(Carp)
 BuildRequires:  perl(Errno)
+BuildRequires:  perl(Fcntl)
 BuildRequires:  perl(IO::Socket)
 # IO::Socket::SSL 1.56 is optional
 BuildRequires:  perl(MIME::Base64)
@@ -55,6 +59,7 @@ resumes after EINTR.
 %prep
 %setup -q -n HTTP-Tiny-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -76,6 +81,7 @@ make test
 %changelog
 * Wed Nov 27 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 0.038-2
 - Croak on failed write into a file (bug #1031096)
+- Do not use already existing temporary files (bug #1031096)
 
 * Tue Nov 19 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 0.038-1
 - 0.038 bump
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel





[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux