From f0ada4fd4d9f4a6c028f86306e62fe880949d4e1 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>

Date: Wed, 27 Nov 2013 10:58:07 +0100

Subject: [PATCH] Do not use already existing temporary files

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

mirror() method tries to create a new temporary file as can be

concluded by using random name.

To prevent from from attacks, one has to make sure the file does not

exist. This patch creates temporary files with O_CREAT|O_EXCL mode.

Signed-off-by: Petr Písař <ppisar@redhat.com>

---

 lib/HTTP/Tiny.pm | 5 +++--

 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm

index 8736816..6ee800e 100644

--- a/lib/HTTP/Tiny.pm

+++ b/lib/HTTP/Tiny.pm

@@ -6,6 +6,7 @@ use warnings;

 our $VERSION = '0.033'; # VERSION

 use Carp ();

+use Fcntl ();

 my @attributes;

@@ -113,8 +114,8 @@ sub mirror {

         $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime);

     }

     my $tempfile = $file . int(rand(2**31));

-    open my $fh, ">", $tempfile

-        or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/);

+    sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY

+        or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/);

     binmode $fh;

     $args->{data_callback} = sub {

         print {$fh} $_[0]

-- 

1.8.3.1