Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Log-Log4perl-Tiny CPAN distribution.

Report information
The Basics
Id: 85852
Status: resolved
Priority: 0/
Queue: Log-Log4perl-Tiny
People
Owner: polettix [...] cpan.org
Requestors: pedro-d-assuncao [...] ext.ptinovacao.pt
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 1.2.4

History Show all quoted text
  Tue Jun 04 10:54:55 2013 pedro-d-assuncao [...] ext.ptinovacao.pt - Ticket created
Subject: while running with setuid...
Date: Tue, 4 Jun 2013 15:53:26 +0100
To: "bug-Log-Log4perl-Tiny [...] rt.cpan.org" <bug-Log-Log4perl-Tiny [...] rt.cpan.org>
From: Pedro Davide Assunção <pedro-d-assuncao [...] ext.ptinovacao.pt>
Insecure dependency in open while running setuid at /usr/lib/perl5/site_perl/5.8.8/Log/Log4perl/Tiny.pm line 99.
  Tue Jul 23 04:58:10 2013 polettix [...] cpan.org - Correspondence added
On Tue Jun 04 10:54:55 2013, pedro-d-assuncao@ext.ptinovacao.pt wrote: Show quoted text
> > Insecure dependency in open while running setuid at > /usr/lib/perl5/site_perl/5.8.8/Log/Log4perl/Tiny.pm line 99.
This is true because I'm using the two-argument flavor of open(). I usually refrain from doing that, so I probably got caught by the possibility to let the end user open in append mode very easily (like in '>>/path/to/file'). This is what I'm planning to do: * keep the file key as is and deprecate it by default * clone it as file_insecure, so that it can be kept in the future without deprecation (and requiring very little intervention on code relying on this feature) * add file_open and file_append * wait a cycle and change "file" to behave like "file_open" (possibly adding an import option to keep the "old" behaviour) What do you think? Flavio.
  Tue Jul 23 04:58:11 2013 The RT System itself - Status changed from 'new' to 'open'
  Tue Jul 23 05:09:19 2013 polettix [...] cpan.org - Taken
  Sat Aug 03 09:02:33 2013 polettix [...] cpan.org - Correspondence added
Il Mar 04 Giu 2013 10:54:55, pedro-d-assuncao@ext.ptinovacao.pt ha scritto: Show quoted text
> > Insecure dependency in open while running setuid at > /usr/lib/perl5/site_perl/5.8.8/Log/Log4perl/Tiny.pm line 99.
I added file_insecure, file_create and file_append options to both new() and easy_init(). file will always remain "insecure" to keep compliance to Log::Log4perl. If you need to use the module in setuid, you should probably look at file_create or file_append. I also seem to remember that setuid is very close to taintedness, so you should probably try and "laundry" your filename before using it. The new release of the module will be on CPAN shortly, first as a developer release. The final code in in Github though. I cannot test setuid because I suspect my system does not allow me to enable it. It would be great if you did and report on it. Regards, Flavio.
  Sun Jan 11 01:18:00 2015 polettix [...] cpan.org - Correspondence added
Took some time to do the official release, but here it is. Thanks for reporting the bug. Flavio.
  Sun Jan 11 01:18:01 2015 polettix [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Jan 11 01:18:01 2015 polettix [...] cpan.org - Fixed in 1.2.4 added