commit 693e0bc81227b929b477a833e5601dbd46ad2fb3
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date: Wed Nov 27 12:23:39 2013 +0100
Do not use already existing temporary files
...-not-use-already-existing-temporary-files.patch | 45 ++++++++++++++++++++
perl-HTTP-Tiny.spec | 6 +++
2 files changed, 51 insertions(+), 0 deletions(-)
---
diff --git a/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch b/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
new file mode 100644
index 0000000..2f81f42
--- /dev/null
+++ b/HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
@@ -0,0 +1,45 @@
+From 5391d7a3c315afbdfb56d68b729cd20c0c6a893d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
+Date: Wed, 27 Nov 2013 10:58:07 +0100
+Subject: [PATCH 2/2] Do not use already existing temporary files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+mirror() method tries to create a new temporary file as can be
+concluded by using random name.
+
+To prevent from from attacks, one has to make sure the file does not
+exist. This patch creates temporary files with O_CREAT|O_EXCL mode.
+
+Signed-off-by: Petr Písař <ppisar@xxxxxxxxxx>
+---
+ lib/HTTP/Tiny.pm | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
+index 48763ff..04c4858 100644
+--- a/lib/HTTP/Tiny.pm
++++ b/lib/HTTP/Tiny.pm
+@@ -6,6 +6,7 @@ use warnings;
+ our $VERSION = '0.038'; # VERSION
+
+ use Carp ();
++use Fcntl ();
+
+
+ my @attributes;
+@@ -113,8 +114,8 @@ sub mirror {
+ $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime);
+ }
+ my $tempfile = $file . int(rand(2**31));
+- open my $fh, ">", $tempfile
+- or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/);
++ sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY
++ or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/);
+ binmode $fh;
+ $args->{data_callback} = sub {
+ print {$fh} $_[0]
+--
+1.8.3.1
+
diff --git a/perl-HTTP-Tiny.spec b/perl-HTTP-Tiny.spec
index 4418f00..881443a 100644
--- a/perl-HTTP-Tiny.spec
+++ b/perl-HTTP-Tiny.spec
@@ -9,6 +9,9 @@ Source0: http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
# Check for write failure, bug #1031096,
# <https://github.com/chansen/p5-http-tiny/issues/32>
Patch0: HTTP-Tiny-0.038-Croak-on-failed-write-into-a-file.patch
+# Do not use already existing temporary files, bug #1031096,
+# <https://github.com/chansen/p5-http-tiny/issues/32>
+Patch1: HTTP-Tiny-0.038-Do-not-use-already-existing-temporary-files.patch
BuildArch: noarch
BuildRequires: perl
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.17
@@ -18,6 +21,7 @@ BuildRequires: perl(warnings)
BuildRequires: perl(bytes)
BuildRequires: perl(Carp)
BuildRequires: perl(Errno)
+BuildRequires: perl(Fcntl)
BuildRequires: perl(IO::Socket)
# IO::Socket::SSL 1.56 is optional
BuildRequires: perl(MIME::Base64)
@@ -55,6 +59,7 @@ resumes after EINTR.
%prep
%setup -q -n HTTP-Tiny-%{version}
%patch0 -p1
+%patch1 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
@@ -76,6 +81,7 @@ make test
%changelog
* Wed Nov 27 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 0.038-2
- Croak on failed write into a file (bug #1031096)
+- Do not use already existing temporary files (bug #1031096)
* Tue Nov 19 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 0.038-1
- 0.038 bump
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
