Skip Menu |

This queue is for tickets about the KinoSearch CPAN distribution.

Report information
The Basics
Id: 30142
Status: resolved
Priority: 0/
Queue: KinoSearch

People
Owner: CREAMYG [...] cpan.org
Requestors: ANDK [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.161
Fixed in: 0.162



Subject: Cleaning up /tmp directory; predictable tmp filenames
While cleaning up my /tmp directory I discovered left overs from KinoSearch 0.161 testsuite: # ls -l kinosearch_lockdir/test-foo -rw-rw-r-- 1 sand sand 25 Oct 20 05:52 kinosearch_lockdir/test-foo # ls -lad kinosearch_lockdir drwxrwxrwx 2 sand sand 4096 Oct 20 05:53 kinosearch_lockdir/ Predictable filenames in /tmp directory have severe security implications when people run the tests as root. Please use File::Temp instead (which has the additional benefit of cleaning up after its use;) Thanks,
This flaw ought to be resolved with maint release 0.162 and devel release 0.20_05. The test suite still creates temp files and directories with predictable names -- this is unavoidable because KinoSearch's invindexes are directories and the naming semantics of the files within them matter. However, the test suite now takes greater care with permissions, creating a working directory within the tmp directory with owner-only privileges, doing all its work within that, then cleaning up at the end. Lock files are still created within the tmp directory, though this is no longer the case in development releases (0.20_xx). These must have predictable filenames, because otherwise other processes could not find them. However, the locking mechanism uses safe opens (sysopen with O_EXCL), so there should be no potential for clobbering.