Subject: | Broken temp file generation in MP3::Tag::ID3v2 |
Date: | Tue, 22 Mar 2011 01:16:12 -0400 |
To: | bug-MP3-Tag [...] rt.cpan.org |
From: | Jason Rhinelander <jagerman [...] jagerman.com> |
MP3::Tag::ID3v2 uses an unsafe tempfile generation, which has the
potential to corrupt files if multiple processes using MP3::Tag::ID3v2
are operating on files in the same directory at the same time. I ran
into this, with a parallel-processing script, and it clobbered some of
my MP3 files.
This is just a basic race condition: the file might exist between the
time -e is called and the subsequent open(). Rather than trying to fix
the tempfile name generation, it would be easier to simply use
File::Temp, which is designed to do exactly this sort of thing safely.
The attached patch to ID3v2.pm fixes the problem by doing exactly that:
it removes the current tempfile generation code, instead using
File::Temp's tempfile() to create the file, which should solve the problem.
Message body is not shown because sender requested not to inline it.