Bug 1079065: [SECURITY] Always use the 3 arguments form for open() to prevent shell code injection
r=dylan,a=simon git-svn-id: svn://10.0.0.236/branches/BUGZILLA-4_0-BRANCH@265790 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
bzrmirror%bugzilla.org
parent
20714a9e71
commit
b25e44f000
@ -1 +1 @@
|
||||
7801
|
||||
7802
|
||||
@ -1 +1 @@
|
||||
9162eab026022ffa81d118b03bdd2f259399a707
|
||||
5c7b3177b0001970e1802a0c7a4da1f99cf890f4
|
||||
@ -371,7 +371,7 @@ sub data {
|
||||
# If there's no attachment data in the database, the attachment is stored
|
||||
# in a local file, so retrieve it from there.
|
||||
if (length($self->{data}) == 0) {
|
||||
if (open(AH, $self->_get_local_filename())) {
|
||||
if (open(AH, '<', $self->_get_local_filename())) {
|
||||
local $/;
|
||||
binmode AH;
|
||||
$self->{data} = <AH>;
|
||||
@ -417,7 +417,7 @@ sub datasize {
|
||||
# is stored in a local file, and so retrieve its size from the file,
|
||||
# or the attachment has been deleted.
|
||||
unless ($self->{datasize}) {
|
||||
if (open(AH, $self->_get_local_filename())) {
|
||||
if (open(AH, '<', $self->_get_local_filename())) {
|
||||
binmode AH;
|
||||
$self->{datasize} = (stat(AH))[7];
|
||||
close(AH);
|
||||
|
||||
@ -110,7 +110,7 @@ sub process_interdiff {
|
||||
# Send through interdiff, send output directly to template.
|
||||
# Must hack path so that interdiff will work.
|
||||
$ENV{'PATH'} = $lc->{diffpath};
|
||||
open my $interdiff_fh, "$lc->{interdiffbin} $old_filename $new_filename|";
|
||||
open my $interdiff_fh, '-|', "$lc->{interdiffbin} $old_filename $new_filename";
|
||||
binmode $interdiff_fh;
|
||||
my ($reader, $last_reader) = setup_patch_readers("", $context);
|
||||
|
||||
|
||||
@ -256,7 +256,7 @@ sub check_webdotbase {
|
||||
# Check .htaccess allows access to generated images
|
||||
my $webdotdir = bz_locations()->{'webdotdir'};
|
||||
if(-e "$webdotdir/.htaccess") {
|
||||
open HTACCESS, "$webdotdir/.htaccess";
|
||||
open HTACCESS, "<", "$webdotdir/.htaccess";
|
||||
if(! grep(/ \\\.png\$/,<HTACCESS>)) {
|
||||
return "Dependency graph images are not accessible.\nAssuming that you have not modified the file, delete $webdotdir/.htaccess and re-run checksetup.pl to rectify.\n";
|
||||
}
|
||||
|
||||
@ -92,7 +92,7 @@ sub _throw_error {
|
||||
$val = "*****" if $val =~ /password|http_pass/i;
|
||||
$mesg .= "[$$] " . Data::Dumper->Dump([$val],["env($var)"]);
|
||||
}
|
||||
open(ERRORLOGFID, ">>$datadir/errorlog");
|
||||
open(ERRORLOGFID, ">>", "$datadir/errorlog");
|
||||
print ERRORLOGFID "$mesg\n";
|
||||
close ERRORLOGFID;
|
||||
}
|
||||
|
||||
@ -214,8 +214,8 @@ sub set_cpan_config {
|
||||
# Calling a senseless autoload that does nothing makes us
|
||||
# automatically load any existing configuration.
|
||||
# We want to avoid the "invalid command" message.
|
||||
open(my $saveout, ">&STDOUT");
|
||||
open(STDOUT, '>/dev/null');
|
||||
open(my $saveout, ">&", "STDOUT");
|
||||
open(STDOUT, '>', '/dev/null');
|
||||
eval { CPAN->ignore_this_error_message_from_bugzilla; };
|
||||
undef $@;
|
||||
close(STDOUT);
|
||||
|
||||
@ -578,7 +578,7 @@ sub _update_old_charts {
|
||||
($in_file =~ /\.orig$/i));
|
||||
|
||||
rename("$in_file", "$in_file.orig") or next;
|
||||
open(IN, "$in_file.orig") or next;
|
||||
open(IN, "<", "$in_file.orig") or next;
|
||||
open(OUT, '>', $in_file) or next;
|
||||
|
||||
# Fields in the header
|
||||
|
||||
@ -366,7 +366,7 @@ EOT
|
||||
# Move any custom or old variables into a separate file.
|
||||
if (scalar @old_vars) {
|
||||
my $filename_old = "$filename.old";
|
||||
open(my $old_file, ">>$filename_old") || die "$filename_old: $!";
|
||||
open(my $old_file, ">>", $filename_old) || die "$filename_old: $!";
|
||||
local $Data::Dumper::Purity = 1;
|
||||
foreach my $var (@old_vars) {
|
||||
print $old_file Data::Dumper->Dump([$localconfig->{$var}],
|
||||
@ -383,7 +383,7 @@ EOT
|
||||
}
|
||||
|
||||
# Re-write localconfig
|
||||
open(my $fh, ">$filename") || die "$filename: $!";
|
||||
open(my $fh, ">", $filename) || die "$filename: $!";
|
||||
foreach my $var (LOCALCONFIG_VARS) {
|
||||
print $fh "\n", $var->{desc},
|
||||
Data::Dumper->Dump([$localconfig->{$var->{name}}],
|
||||
|
||||
@ -349,7 +349,7 @@ sub regenerate_stats {
|
||||
return;
|
||||
}
|
||||
|
||||
if (open DATA, ">$file") {
|
||||
if (open DATA, ">", $file) {
|
||||
my $fields = join('|', ('DATE', @statuses, @resolutions));
|
||||
print DATA <<FIN;
|
||||
# Bugzilla Daily Bug Stats
|
||||
|
||||
@ -177,7 +177,7 @@ sub generate_chart {
|
||||
$data_file =~ s/\//-/gs;
|
||||
$data_file = $dir . '/' . $data_file;
|
||||
|
||||
if (! open FILE, $data_file) {
|
||||
if (!open(FILE, '<', $data_file)) {
|
||||
if ($product eq '-All-') {
|
||||
$product = '';
|
||||
}
|
||||
|
||||
@ -33,7 +33,7 @@ print $cgi->header('application/xml');
|
||||
|
||||
# Get the contents of favicon.ico
|
||||
my $filename = bz_locations()->{'libpath'} . "/images/favicon.ico";
|
||||
if (open(IN, $filename)) {
|
||||
if (open(IN, '<', $filename)) {
|
||||
local $/;
|
||||
binmode IN;
|
||||
$vars->{'favicon'} = <IN>;
|
||||
|
||||
@ -61,7 +61,7 @@ sub CreateImagemap {
|
||||
my $map = "<map name=\"imagemap\">\n";
|
||||
my $default = "";
|
||||
|
||||
open MAP, "<$mapfilename";
|
||||
open MAP, "<", $mapfilename;
|
||||
while(my $line = <MAP>) {
|
||||
if($line =~ /^default ([^ ]*)(.*)$/) {
|
||||
$default = qq{<area alt="" shape="default" href="$1">\n};
|
||||
@ -271,7 +271,7 @@ if ($webdotbase =~ /^https?:/) {
|
||||
error => $! });
|
||||
|
||||
binmode $pngfh;
|
||||
open(DOT, "\"$webdotbase\" -Tpng $filename|");
|
||||
open(DOT, '-|', "\"$webdotbase\" -Tpng $filename");
|
||||
binmode DOT;
|
||||
print $pngfh $_ while <DOT>;
|
||||
close DOT;
|
||||
@ -300,7 +300,7 @@ if ($webdotbase =~ /^https?:/) {
|
||||
error => $! });
|
||||
|
||||
binmode $mapfh;
|
||||
open(DOT, "\"$webdotbase\" -Tismap $filename|");
|
||||
open(DOT, '-|', "\"$webdotbase\" -Tismap $filename");
|
||||
binmode DOT;
|
||||
print $mapfh $_ while <DOT>;
|
||||
close DOT;
|
||||
|
||||
@ -44,7 +44,7 @@ my @pscmds = ('ps -eo comm,gid', 'ps -acxo command,gid', 'ps -acxo command,rgid'
|
||||
my $sgid = 0;
|
||||
if (!ON_WINDOWS) {
|
||||
foreach my $pscmd (@pscmds) {
|
||||
open PH, "$pscmd 2>/dev/null |";
|
||||
open PH, '-|', "$pscmd 2>/dev/null";
|
||||
while (my $line = <PH>) {
|
||||
if ($line =~ /^(?:\S*\/)?(?:httpd|apache)2?\s+(\d+)$/) {
|
||||
$sgid = $1 if $1 > $sgid;
|
||||
@ -271,7 +271,7 @@ sub check_image {
|
||||
|
||||
sub create_file {
|
||||
my ($filename, $content) = @_;
|
||||
open(FH, ">$filename")
|
||||
open(FH, ">", $filename)
|
||||
or die "Failed to create $filename: $!\n";
|
||||
binmode FH;
|
||||
print FH $content;
|
||||
@ -280,7 +280,7 @@ sub create_file {
|
||||
|
||||
sub read_file {
|
||||
my ($filename) = @_;
|
||||
open(FH, $filename)
|
||||
open(FH, "<", $filename)
|
||||
or die "Failed to open $filename: $!\n";
|
||||
binmode FH;
|
||||
my $content = <FH>;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user