From: Don Armstrong Date: Sat, 8 Mar 2014 02:33:46 +0000 (-0800) Subject: Fix insecure tmpfile creation (closes: #740670) X-Git-Tag: debian/20170521-1~13 X-Git-Url: https://git.donarmstrong.com/?p=perltidy.git;a=commitdiff_plain;h=4862e2b1f02adca8d5d24886268178b8635a9140 Fix insecure tmpfile creation (closes: #740670) --- diff --git a/debian/changelog b/debian/changelog index af7e5ac..25368d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ perltidy (20130922-1) unstable; urgency=medium * New upstream release (closes: #740559) * Update VCS location after switching to git + * Fix insecure tmpfile creation (closes: #740670) -- Don Armstrong Fri, 07 Mar 2014 18:18:01 -0800 diff --git a/debian/patches/fix_insecure_tmpnam_usage_740670 b/debian/patches/fix_insecure_tmpnam_usage_740670 new file mode 100644 index 0000000..0d3b265 --- /dev/null +++ b/debian/patches/fix_insecure_tmpnam_usage_740670 @@ -0,0 +1,80 @@ +Description: Replace insecure make_temporary_filename with File::Temp::tempfile +Forwarded: http://lists.example.com/2010/03/1234.html +Origin: vendor, http://bugs.debian.org/740670 +Author: Don Armstrong +Last-Update: 2010-03-29 +--- a/lib/Perl/Tidy.pm ++++ b/lib/Perl/Tidy.pm +@@ -76,6 +76,7 @@ + use IO::File; + use File::Basename; + use File::Copy; ++use File::Temp qw(tempfile); + + BEGIN { + ( $VERSION = q($Id: Tidy.pm,v 1.74 2013/09/22 13:56:49 perltidy Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker +@@ -235,35 +236,6 @@ + return undef; + } + +-sub make_temporary_filename { +- +- # Make a temporary filename. +- # The POSIX tmpnam() function has been unreliable for non-unix systems +- # (at least for the win32 systems that I've tested), so use a pre-defined +- # name for them. A disadvantage of this is that two perltidy +- # runs in the same working directory may conflict. However, the chance of +- # that is small and manageable by the user, especially on systems for which +- # the POSIX tmpnam function doesn't work. +- my $name = "perltidy.TMP"; +- if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) { +- return $name; +- } +- eval "use POSIX qw(tmpnam)"; +- if ($@) { return $name } +- use IO::File; +- +- # just make a couple of tries before giving up and using the default +- for ( 0 .. 3 ) { +- my $tmpname = tmpnam(); +- my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL ); +- if ($fh) { +- $fh->close(); +- return ($tmpname); +- last; +- } +- } +- return ($name); +-} + + # Here is a map of the flow of data from the input source to the output + # line sink: +@@ -1324,11 +1296,7 @@ + my ( $fh_stream, $fh_name ) = + Perl::Tidy::streamhandle( $stream, 'r' ); + if ($fh_stream) { +- my ( $fout, $tmpnam ); +- +- # TODO: fix the tmpnam routine to return an open filehandle +- $tmpnam = Perl::Tidy::make_temporary_filename(); +- $fout = IO::File->new( $tmpnam, 'w' ); ++ my ( $fout, $tmpnam ) = tempfile(); + + if ($fout) { + $fname = $tmpnam; +@@ -5159,14 +5127,7 @@ + # Pod::Html requires a real temporary filename + # If we are making a frame, we have a name available + # Otherwise, we have to fine one +- my $tmpfile; +- if ( $rOpts->{'frames'} ) { +- $tmpfile = $self->{_toc_filename}; +- } +- else { +- $tmpfile = Perl::Tidy::make_temporary_filename(); +- } +- my $fh_tmp = IO::File->new( $tmpfile, 'w' ); ++ my ($fh_temp,$tempfile) = tempfile(); + unless ($fh_tmp) { + Perl::Tidy::Warn + "unable to open temporary file $tmpfile; cannot use pod2html\n"; diff --git a/debian/patches/series b/debian/patches/series index 9b1049a..9ec3b4b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ document_bst_better +fix_insecure_tmpnam_usage_740670