Skip Menu |

This queue is for tickets about the PAR CPAN distribution.

Report information
The Basics
Id: 11300
Status: resolved
Priority: 0/
Queue: PAR

People
Owner: Nobody in particular
Requestors: tloo [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.87
Fixed in: (no value)



Subject: [patch] PAR.pm bails out on tainted pathname - non-root user
Running PAR as a non-root user, method _tempfile bails out when trying to issue open write to a tainted pathname (the cached $par_temp ones). I am on Linux w/ Perl 5.8.6, but PAR on any *nix is probably gonna behave the same. In practise, as of now this makes PAR on *nix unusable by an unprivileged user. Attached a patch to PAR 0.87 resolving this bug. Thomas Loo Saltstorm Techlabs.
--- PAR.pm-orig 2005-01-30 19:13:28.000000000 +0100 +++ PAR.pm 2005-01-31 17:57:08.000000000 +0100 @@ -501,6 +501,7 @@ } sub _tempfile { + my ($fh, $filename); if ($ENV{PAR_CLEAN} or !@_) { require File::Temp; @@ -508,7 +509,7 @@ # under Win32, the file is created with O_TEMPORARY, # and will be deleted by the C runtime; having File::Temp # delete it has the only effect of giving ugly warnings - my ($fh, $filename) = File::Temp::tempfile( + ($fh, $filename) = File::Temp::tempfile( DIR => $par_temp, UNLINK => ($^O ne 'MSWin32'), ) or die "Cannot create temporary file: $!"; @@ -518,14 +519,18 @@ } require File::Spec; - my $filename = File::Spec->catfile( $par_temp, $_[0] ); + + # untainting tempfile path + local $_ = File::Spec->catfile( $par_temp, $_[0] ); + /^(.+)$/ and $filename = $1; + if (-r $filename) { - open my $fh, '<', $filename or die $!; + open $fh, '<', $filename or die $!; binmode($fh); return ($fh, 0, $filename); } - open my $fh, '+>', $filename or die $!; + open $fh, '+>', $filename or die $!; binmode($fh); return ($fh, 1, $filename); }
Thanks, applied, will be in 0.88.