Skip Menu |

This queue is for tickets about the File-Pid CPAN distribution.

Report information
The Basics
Id: 89647
Status: new
Priority: 0/
Queue: File-Pid

People
Owner: Nobody in particular
Requestors: d.e.smorgrav [...] usit.uio.no
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Insufficient input validation in _get_pid_from_file()
Date: Mon, 21 Oct 2013 11:27:41 +0200
To: bug-File-Pid [...] rt.cpan.org
From: Dag-Erling Smørgrav <d.e.smorgrav [...] usit.uio.no>
There is no input validation in _get_pid_from_file(). Consequently, an absent or empty PID file will result in bugs ranging from a "use of uninitialized value" warning as reported in #18960 to an "insecure dependency" error if running in taint mode (from passing a tainted $pid to kill()). The latter will also occur with a vaild PID file. The attached patch adds input validation to _get_pid_from_file() and an undef check to running(). It also replaces the two-argument open() call in _get_pid_from_file() with a safer three-argument call. DES -- Dag-Erling Smørgrav Universitetet i Oslo USIT/IT-DRIFT/GD/GID

Message body is not shown because sender requested not to inline it.