| Subject: | Gantry 3.53 Build.PL subject to race condition |
On line 199 of Build.PL the code attempts to change the permissions on a
file (which may not exist - as per my previous bug #39607 regarding
Build.PL's failure to honour destdir) to be world writable. Assuming
success, the code then goes on to clobber that file, rewrite it and then
reset the permissions.
By setting the file to be world writable, there is the risk that after
the write, but before the permissions are reset, that any other process
could edit, truncate or otherwise interfere with that file.
Since the user running the code has the rights to change the permissions
of that file, it seems likely that they could already write to that
file. If this is not the case, because the read permission has already
been removed by earlier code, then surely all one needs to do is give
that user write permission? Not everyone?
I suspect it would be better, if this is required to use the permissions
octal: 0644 instead.
Thanks,
Jacinta