Skip Menu |

This queue is for tickets about the Archive-Zip CPAN distribution.

Report information
The Basics
Id: 6343
Status: resolved
Priority: 0/
Queue: Archive-Zip
People
Owner: nedkonz [...] cpan.org
Requestors: at [...] altlinux.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.10
Fixed in: (no value)

History Show all quoted text
  Tue May 18 09:22:00 2004 Guest - Ticket created
Subject: insecure temporary files handling
Hi, And Thanks for Archive::Zip. Please consider using File::Temp for temporary files creation, since there are security risks. The attached patch proposes a fix with which all tests pass. -- Alexey Tourbin ALT Linux Team
--- Archive-Zip-1.10~/Makefile.PL 2003-10-20 13:50:36 +0000 +++ Archive-Zip-1.10/Makefile.PL 2004-05-18 12:32:40 +0000 @@ -45,6 +45,7 @@ WriteMakefile( 'IO::Seekable' => 0, # 'Test' => 0, 'Time::Local' => 0, + 'File::Temp' => 0, }, EXE_FILES => [ qw( crc32 ) ], clean => { --- Archive-Zip-1.10~/lib/Archive/Zip.pm 2004-03-25 14:31:29 +0000 +++ Archive-Zip-1.10/lib/Archive/Zip.pm 2004-05-18 13:04:59 +0000 @@ -23,9 +23,11 @@ use IO::File(); use IO::Seekable(); use Compress::Zlib(); use File::Spec 0.8 (); +use File::Temp (); +use sigtrap qw(die normal-signals); use vars - qw( @ISA @EXPORT_OK %EXPORT_TAGS $VERSION $ChunkSize $ErrorHandler $TempSequence); + qw( @ISA @EXPORT_OK %EXPORT_TAGS $VERSION $ChunkSize $ErrorHandler); # This is the size we'll try to read, write, and (de)compress. # You could set it to something different if you had lots of memory @@ -400,29 +402,12 @@ sub _readSignature # Archive::Zip # my ($fh, $name) = Archive::Zip::tempFile(); # my ($fh, $name) = Archive::Zip::tempFile('mytempdir'); # -BEGIN { $Archive::Zip::TempSequence = 0 } - -sub tempFileName # Archive::Zip -{ - my $temp_dir = shift; - $temp_dir = ( -d '/tmp' ? '/tmp' : $ENV{TMPDIR} || $ENV{TEMP} || '.' ) - unless defined($temp_dir); - unless ( -d $temp_dir ) - { - mkdir( $temp_dir, 0777 ) - or die "Can't create temp directory $temp_dir\: $!\n"; - } - my $base_name = - sprintf( "%d-%d.%d", $$, time(), $Archive::Zip::TempSequence++ ); - return File::Spec->canonpath( - File::Spec->catpath( '', $temp_dir, $base_name ) ); -} sub tempFile # Archive::Zip { - my $full_name = tempFileName(@_); - my $fh = IO::File->new( $full_name, '+>' ); - return defined($fh) ? ( $fh, $full_name ) : (); + my $dir = shift; + return File::Temp::tempfile(SUFFIX => '.zip', UNLINK => 1, + $dir ? (DIR => $dir) : ()); } # Return the normalized directory name as used in a zip file (path
  Tue May 25 17:37:06 2004 nedkonz [...] cpan.org - Correspondence added
[guest - Tue May 18 09:22:00 2004]: Show quoted text
> And Thanks for Archive::Zip.
You're welcome. Show quoted text
> Please consider using File::Temp for temporary files creation, > since there are security risks. The attached patch proposes a fix > with which all tests pass.
Thanks for the patch. Which versions of Perl did you test with? Do your patches work in Perl 5.004 (the earliest version that I have been supporting with A::Z)? Or perl 5.6? I see the 'use sigtrap' line; was this in 5.004? Sorry about what is probably a dumb question, but I haven't used Perl for quite a while and don't remember... Thanks, Ned
  Tue May 25 17:37:09 2004 nedkonz [...] cpan.org - Given to NEDKONZ
  Thu Jul 29 11:23:47 2004 nedkonz [...] cpan.org - Correspondence added
[NEDKONZ - Tue May 25 17:37:06 2004]: Show quoted text
> [guest - Tue May 18 09:22:00 2004]: >
> > And Thanks for Archive::Zip.
> > You're welcome. >
> > Please consider using File::Temp for temporary files creation, > > since there are security risks. The attached patch proposes a fix > > with which all tests pass.
A version of A::Z that has a modified version of this patch is in PAUSE as https://pause.perl.org/pub/PAUSE/authors/id/N/NE/NEDKONZ/Archive-Zip-1.12_03.tar.gz It will be available in CPAN as $CPAN/authors/id/N/NE/NEDKONZ/Archive-Zip-1.12_03.tar.gz
  Thu Jul 29 11:23:52 2004 nedkonz [...] cpan.org - Status changed from 'new' to 'resolved'