From f0ada4fd4d9f4a6c028f86306e62fe880949d4e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 27 Nov 2013 10:58:07 +0100
Subject: [PATCH] Do not use already existing temporary files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

mirror() method tries to create a new temporary file as can be
concluded by using random name.

To prevent from from attacks, one has to make sure the file does not
exist. This patch creates temporary files with O_CREAT|O_EXCL mode.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/HTTP/Tiny.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
index 8736816..6ee800e 100644
--- a/lib/HTTP/Tiny.pm
+++ b/lib/HTTP/Tiny.pm
@@ -6,6 +6,7 @@ use warnings;
 our $VERSION = '0.033'; # VERSION
 
 use Carp ();
+use Fcntl ();
 
 
 my @attributes;
@@ -113,8 +114,8 @@ sub mirror {
         $args->{headers}{'if-modified-since'} ||= $self->_http_date($mtime);
     }
     my $tempfile = $file . int(rand(2**31));
-    open my $fh, ">", $tempfile
-        or Carp::croak(qq/Error: Could not open temporary file $tempfile for downloading: $!\n/);
+    sysopen my $fh, $tempfile, Fcntl::O_CREAT|Fcntl::O_EXCL|Fcntl::O_WRONLY
+        or Carp::croak(qq/Error: Could not create temporary file $tempfile for downloading: $!\n/);
     binmode $fh;
     $args->{data_callback} = sub {
         print {$fh} $_[0]
-- 
1.8.3.1