Ensure that tempdirs are removed in Perl 5.28. #647
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File::Temp::tempdir() internally calls File::Path::rmtree() to implement the
'CLEANUP => 1' option. A security vulnernability was discovered in rmtree()
in early 2017. This vulnerability has been addressed in File::Path versions
2.14 and later; a thus patched version of File::Path will appear in Perl-5.28
to be released in spring 2018.
The security correction changes the functionality of rmtree() when not called
with a true value as its third positional argument:
rmtree($my_tempdir, 0, 0);
As of File::Path 2.14, this syntax will no longer remove directories for which
the user lacks both 'read' and 'execute' permissions. For example, any
directory whose numerical permissions are octal 0000 or 0200 will no longer be
deleted.
The file for which this patch is being submitted contains a chmod() call with
0000 permissions. While, even if this patch is not applied, all tests in the
file will continue to PASS, the 0000 directories will not be deleted and the
person running the test will be shown warnings that some directories have not
been deleted. The patch attached addresses this situation by restoring owner
'read' and 'execute' permissions to the directory before the call to tempdir()
goes out of scope. This will once again remove the tempdirs, eliminate the
warnings and avert user confusion.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
File::Temp::tempdir() internally calls File::Path::rmtree() to implement the
'CLEANUP => 1' option. A security vulnernability was discovered in rmtree()
in early 2017. This vulnerability has been addressed in File::Path versions
2.14 and later; a thus patched version of File::Path will appear in Perl-5.28
to be released in spring 2018.
The security correction changes the functionality of rmtree() when not called
with a true value as its third positional argument:
As of File::Path 2.14, this syntax will no longer remove directories for which
the user lacks both 'read' and 'execute' permissions. For example, any
directory whose numerical permissions are octal 0000 or 0200 will no longer be
deleted.
The file for which this patch is being submitted contains a chmod() call with
0000 permissions. While, even if this patch is not applied, all tests in the
file will continue to PASS, the 0000 directories will not be deleted and the
person running the test will be shown warnings that some directories have not
been deleted. The patch attached addresses this situation by restoring owner
'read' and 'execute' permissions to the directory before the call to tempdir()
goes out of scope. This will once again remove the tempdirs, eliminate the
warnings and avert user confusion.