Skip Menu |

This queue is for tickets about the Archive-Extract CPAN distribution.

Report information
The Basics
Id: 39554
Status: stalled
Priority: 0/
Queue: Archive-Extract
People
Owner: Nobody in particular
Requestors: dagolden [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Sep 23 16:07:51 2008 dagolden [...] cpan.org - Ticket created
Subject: Must set $Archive::Tar::CHOWN, not $Archive::Tar::Constant::CHOWN
The wrong constant is set to prevent Archive::Tar from using permissions in the archive. This is a potential security risk if files in the archive have world-writable permissions. -- David
  Tue Sep 30 07:29:27 2008 kane [...] cpan.org - Correspondence added
On Tue Sep 23 16:07:51 2008, DAGOLDEN wrote: Show quoted text
> The wrong constant is set to prevent Archive::Tar from using permissions > in the archive. This is a potential security risk if files in the > archive have world-writable permissions.
Good catch. I've made the change. Cheers,
  Tue Sep 30 07:29:30 2008 The RT System itself - Status changed from 'new' to 'open'
  Tue Sep 30 07:29:31 2008 kane [...] cpan.org - Status changed from 'open' to 'resolved'
  Thu Oct 30 13:21:27 2008 SHLOMIF [...] cpan.org - Correspondence added
Actually, that is not enough - one should also set $Archive::Tar::CHMOD : {{{{{{{{{ shlomi:~$ cat archive-extract-test.pl #!/usr/bin/perl use strict; use warnings; use Archive::Extract; my $ae = Archive::Extract->new(archive => "world-write.tar.gz"); $ae->extract(to => "$ENV{HOME}/TEMP/unpack/"); shlomi:~$ tar -tvf world-write.tar.gz drwxr-xr-x shlomi/shlomi 0 2008-10-30 18:55 world-write/ -rwxrwxrwx shlomi/shlomi 6 2008-10-30 18:55 world-write/GOOD shlomi:~$ perl -I Archive-Extract-0.28/lib/ archive-extract-test.pl shlomi:~$ ls -lR TEMP/unpack/ TEMP/unpack/: total 0 drwxr-xr-x 2 shlomi shlomi 17 2008-10-30 19:17 world-write TEMP/unpack/world-write: total 4 -rwxrwxrwx 1 shlomi shlomi 6 2008-10-30 18:55 GOOD shlomi:~$ umask 0022 shlomi:~$ }}}}}}}}}
  Thu Oct 30 13:21:32 2008 The RT System itself - Status changed from 'resolved' to 'open'
  Thu Nov 13 14:15:21 2008 mschwern [...] cpan.org - Correspondence added
I can replicate on OS X.
  Thu Dec 04 12:37:15 2008 kane [...] cpan.org - Correspondence added
On Thu Nov 13 14:15:21 2008, MSCHWERN wrote: Show quoted text
> I can replicate on OS X.
Disabling CHMOD also means that essential file permissions are lost, like +x, as well as read/write access. These things have caused trouble in the past, especially in the CPAN toolchain, so I'm very reluctant to change this. Suggestions are welcome of course.
  Thu Dec 04 12:37:21 2008 kane [...] cpan.org - Status changed from 'open' to 'stalled'