rpms / perl-HTTP-Tiny

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8-beta-stream-5.24 c8-beta-stream-5.30 c8-beta-stream-5.32 c8-stream-5.24 c8-stream-5.26 c8-stream-5.3 c8-stream-5.30 c8-stream-5.32 c8s c8s-stream-5.30 c8s-stream-5.32 c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   HTTP-Tiny-0.033-Do-not-use-already-existing-temporary-files.patch
Blob Blame History Raw 
From f0ada4fd4d9f4a6c028f86306e62fe880949d4e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 27 Nov 2013 10:58:07 +0100
Subject: [PATCH] Do not use already existing temporary files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mirror() method tries to create a new temporary file as can be
concluded by using random name.

To prevent from from attacks, one has to make sure the file does not
exist. This patch creates temporary files with O_CREAT|O_EXCL mode.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/HTTP/Tiny.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
index 8736816..6ee800e 100644
--- a/lib/HTTP/Tiny.pm
+++ b/lib/HTTP/Tiny.pm
@@ -6,6 +6,7 @@ use warnings;
 our $VERSION = '0.033'; # VERSION
 
 use Carp ();
+use Fcntl ();
 
 
 my @attributes;
@@ -113,8 +114,8 @@ sub mirror {
         $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime);
     }
     my $tempfile = $file . int(rand(2**31));
-    open my $fh, ">", $tempfile
-        or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/);
+    sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY
+        or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/);
     binmode $fh;
     $args->{data_callback} = sub {
         print {$fh} $_[0]
-- 
1.8.3.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation