Description: Replace insecure make_temporary_filename with File::Temp::tempfile
Forwarded: http://lists.example.com/2010/03/1234.html
Origin: vendor, http://bugs.debian.org/740670
Author: Don Armstrong <don@debian.org>
Last-Update: 2010-03-29
--- a/lib/Perl/Tidy.pm
+++ b/lib/Perl/Tidy.pm
@@ -76,6 +76,7 @@
 use IO::File;
 use File::Basename;
 use File::Copy;
+use File::Temp qw(tempfile);
 
 BEGIN {
     ( $VERSION = q($Id: Tidy.pm,v 1.74 2013/09/22 13:56:49 perltidy Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker
@@ -235,35 +236,6 @@
     return undef;
 }
 
-sub make_temporary_filename {
-
-    # Make a temporary filename.
-    # The POSIX tmpnam() function has been unreliable for non-unix systems
-    # (at least for the win32 systems that I've tested), so use a pre-defined
-    # name for them.  A disadvantage of this is that two perltidy
-    # runs in the same working directory may conflict.  However, the chance of
-    # that is small and manageable by the user, especially on systems for which
-    # the POSIX tmpnam function doesn't work.
-    my $name = "perltidy.TMP";
-    if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
-        return $name;
-    }
-    eval "use POSIX qw(tmpnam)";
-    if ($@) { return $name }
-    use IO::File;
-
-    # just make a couple of tries before giving up and using the default
-    for ( 0 .. 3 ) {
-        my $tmpname = tmpnam();
-        my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
-        if ($fh) {
-            $fh->close();
-            return ($tmpname);
-            last;
-        }
-    }
-    return ($name);
-}
 
 # Here is a map of the flow of data from the input source to the output
 # line sink:
@@ -1324,11 +1296,7 @@
             my ( $fh_stream, $fh_name ) =
               Perl::Tidy::streamhandle( $stream, 'r' );
             if ($fh_stream) {
-                my ( $fout, $tmpnam );
-
-                # TODO: fix the tmpnam routine to return an open filehandle
-                $tmpnam = Perl::Tidy::make_temporary_filename();
-                $fout = IO::File->new( $tmpnam, 'w' );
+                my ( $fout, $tmpnam ) = tempfile();
 
                 if ($fout) {
                     $fname      = $tmpnam;
@@ -5159,14 +5127,7 @@
     # Pod::Html requires a real temporary filename
     # If we are making a frame, we have a name available
     # Otherwise, we have to fine one
-    my $tmpfile;
-    if ( $rOpts->{'frames'} ) {
-        $tmpfile = $self->{_toc_filename};
-    }
-    else {
-        $tmpfile = Perl::Tidy::make_temporary_filename();
-    }
-    my $fh_tmp = IO::File->new( $tmpfile, 'w' );
+    my ($fh_tmp,$tmpfile) = tempfile();
     unless ($fh_tmp) {
         Perl::Tidy::Warn
           "unable to open temporary file $tmpfile; cannot use pod2html\n";