Shlomi Fish avatar Shlomi Fish committed a08fa26

Fix the temporary filename problem.

Comments (0)

Files changed (3)

config-inifiles/Build.PL

         'Carp' => 0,
         'Symbol' => 0,
         'warnings' => 0,
+        'File::Basename' => 0,
+        'File::Temp' => 0,
         'List::MoreUtils' => 0,
     },
     create_makefile_pl => 'small',

config-inifiles/Changes

-* Now requiring List::MoreUtils (for any() and other functions).
+* SECURITY BUG FIX: Config::IniFiles used to write to a temporary filename
+with a predictable name ("${filename}-new") which opens the door for potential
+exploits.
+
+* Now requiring List::MoreUtils (for any() and other functions), File::Temp
+and File::Basename .
 
 * Add "use warnings;" to lib/Config/IniFiles.pm .
 

config-inifiles/lib/Config/IniFiles.pm

 
 use List::MoreUtils qw(any none);
 
+use File::Basename qw( dirname );
+use File::Temp qw/ tempfile /;
+
 @Config::IniFiles::errors = ( );
 
 #   $Header: /home/shlomi/progs/perl/cpan/Config/IniFiles/config-inifiles-cvsbackup/config-inifiles/IniFiles.pm,v 2.41 2003-12-08 10:50:56 domq Exp $
             #carp "Store mode $self->{file_mode} prohibits writing config";
         }
 
-        my $new_file = $file . "-new";
-        open(my $fh, '>', $new_file) || do {
-            carp "Unable to write temp config file $new_file: $!";
-            return undef;
-        };
+        my ($fh, $new_file) = tempfile(
+            "temp.ini-XXXXXXXXXX",
+            DIR => dirname($file)
+        );
         $self->OutputConfigToFileHandle($fh, $parms{-delta});
         close($fh);
         if (!rename( $new_file, $file )) {
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.