| Subject: | [patch] PAR.pm bails out on tainted pathname - non-root user |
Running PAR as a non-root user, method _tempfile bails out when trying to issue open write to a tainted pathname (the cached $par_temp ones). I am on Linux w/ Perl 5.8.6, but PAR on any *nix is probably gonna behave the same. In practise, as of now this makes PAR on *nix unusable by an unprivileged user. Attached a patch to PAR 0.87 resolving this bug.
Thomas Loo
Saltstorm Techlabs.
--- PAR.pm-orig 2005-01-30 19:13:28.000000000 +0100
+++ PAR.pm 2005-01-31 17:57:08.000000000 +0100
@@ -501,6 +501,7 @@
}
sub _tempfile {
+ my ($fh, $filename);
if ($ENV{PAR_CLEAN} or !@_) {
require File::Temp;
@@ -508,7 +509,7 @@
# under Win32, the file is created with O_TEMPORARY,
# and will be deleted by the C runtime; having File::Temp
# delete it has the only effect of giving ugly warnings
- my ($fh, $filename) = File::Temp::tempfile(
+ ($fh, $filename) = File::Temp::tempfile(
DIR => $par_temp,
UNLINK => ($^O ne 'MSWin32'),
) or die "Cannot create temporary file: $!";
@@ -518,14 +519,18 @@
}
require File::Spec;
- my $filename = File::Spec->catfile( $par_temp, $_[0] );
+
+ # untainting tempfile path
+ local $_ = File::Spec->catfile( $par_temp, $_[0] );
+ /^(.+)$/ and $filename = $1;
+
if (-r $filename) {
- open my $fh, '<', $filename or die $!;
+ open $fh, '<', $filename or die $!;
binmode($fh);
return ($fh, 0, $filename);
}
- open my $fh, '+>', $filename or die $!;
+ open $fh, '+>', $filename or die $!;
binmode($fh);
return ($fh, 1, $filename);
}