From f0ada4fd4d9f4a6c028f86306e62fe880949d4e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Wed, 27 Nov 2013 10:58:07 +0100 Subject: [PATCH] Do not use already existing temporary files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mirror() method tries to create a new temporary file as can be concluded by using random name. To prevent from from attacks, one has to make sure the file does not exist. This patch creates temporary files with O_CREAT|O_EXCL mode. Signed-off-by: Petr Písař --- lib/HTTP/Tiny.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm index 8736816..6ee800e 100644 --- a/lib/HTTP/Tiny.pm +++ b/lib/HTTP/Tiny.pm @@ -6,6 +6,7 @@ use warnings; our $VERSION = '0.033'; # VERSION use Carp (); +use Fcntl (); my @attributes; @@ -113,8 +114,8 @@ sub mirror { $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime); } my $tempfile = $file . int(rand(2**31)); - open my $fh, ">", $tempfile - or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/); + sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY + or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/); binmode $fh; $args->{data_callback} = sub { print {$fh} $_[0] -- 1.8.3.1