Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the File-MimeInfo CPAN distribution.

Report information
The Basics
Id: 27483
Status: resolved
Priority: 0/
Queue: File-MimeInfo
People
Owner: Nobody in particular
Requestors: perl.andrew [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.13
Fixed in: (no value)

History Show all quoted text
  Thu Jun 07 11:35:06 2007 perl.andrew [...] gmail.com - Ticket created
Subject: Error opening files with pipes in name
The open method being used in this package is very vulnerable to awkward file names that can lead to code injection if you are not careful. It may be rare but when filenames have pipes for example, the text following the pipe is executed as a shell command. If you filename is "example=|ls|", ls is executed in the shell. In order to fix this, I changed the open calls to use the 3-argument for of open. Attached is the MimeInfo class with the new open calls. I also modified the new method to actually return the blessed reference of the object.
Subject: MimeInfo.pm

Message body is not shown because it is too large.

  Fri Jun 08 19:42:39 2007 pardus [...] cpan.org - Correspondence added
Fixed in version 0.14. -- Jaap
  Fri Jun 08 19:42:40 2007 The RT System itself - Status changed from 'new' to 'open'
  Fri Jun 08 19:42:42 2007 pardus [...] cpan.org - Status changed from 'open' to 'resolved'