Commit 19117cc3 authored by Gervase Markham's avatar Gervase Markham Committed by David Lawrence

Bug 1079065: [SECURITY] Always use the 3 arguments form for open() to prevent shell code injection

r=dkl,a=glob
parent 272b0b69
...@@ -328,7 +328,7 @@ sub data { ...@@ -328,7 +328,7 @@ sub data {
# If there's no attachment data in the database, the attachment is stored # If there's no attachment data in the database, the attachment is stored
# in a local file, so retrieve it from there. # in a local file, so retrieve it from there.
if (length($self->{data}) == 0) { if (length($self->{data}) == 0) {
if (open(AH, $self->_get_local_filename())) { if (open(AH, '<', $self->_get_local_filename())) {
local $/; local $/;
binmode AH; binmode AH;
$self->{data} = <AH>; $self->{data} = <AH>;
...@@ -374,7 +374,7 @@ sub datasize { ...@@ -374,7 +374,7 @@ sub datasize {
# is stored in a local file, and so retrieve its size from the file, # is stored in a local file, and so retrieve its size from the file,
# or the attachment has been deleted. # or the attachment has been deleted.
unless ($self->{datasize}) { unless ($self->{datasize}) {
if (open(AH, $self->_get_local_filename())) { if (open(AH, '<', $self->_get_local_filename())) {
binmode AH; binmode AH;
$self->{datasize} = (stat(AH))[7]; $self->{datasize} = (stat(AH))[7];
close(AH); close(AH);
......
...@@ -234,7 +234,7 @@ sub check_webdotbase { ...@@ -234,7 +234,7 @@ sub check_webdotbase {
# Check .htaccess allows access to generated images # Check .htaccess allows access to generated images
my $webdotdir = bz_locations()->{'webdotdir'}; my $webdotdir = bz_locations()->{'webdotdir'};
if(-e "$webdotdir/.htaccess") { if(-e "$webdotdir/.htaccess") {
open HTACCESS, "$webdotdir/.htaccess"; open HTACCESS, "<", "$webdotdir/.htaccess";
if(! grep(/ \\\.png\$/,<HTACCESS>)) { if(! grep(/ \\\.png\$/,<HTACCESS>)) {
return "Dependency graph images are not accessible.\nAssuming that you have not modified the file, delete $webdotdir/.htaccess and re-run checksetup.pl to rectify.\n"; return "Dependency graph images are not accessible.\nAssuming that you have not modified the file, delete $webdotdir/.htaccess and re-run checksetup.pl to rectify.\n";
} }
......
...@@ -74,7 +74,7 @@ sub _throw_error { ...@@ -74,7 +74,7 @@ sub _throw_error {
$val = "*****" if $val =~ /password|http_pass/i; $val = "*****" if $val =~ /password|http_pass/i;
$mesg .= "[$$] " . Data::Dumper->Dump([$val],["env($var)"]); $mesg .= "[$$] " . Data::Dumper->Dump([$val],["env($var)"]);
} }
open(ERRORLOGFID, ">>$datadir/errorlog"); open(ERRORLOGFID, ">>", "$datadir/errorlog");
print ERRORLOGFID "$mesg\n"; print ERRORLOGFID "$mesg\n";
close ERRORLOGFID; close ERRORLOGFID;
} }
......
...@@ -196,8 +196,8 @@ sub set_cpan_config { ...@@ -196,8 +196,8 @@ sub set_cpan_config {
# Calling a senseless autoload that does nothing makes us # Calling a senseless autoload that does nothing makes us
# automatically load any existing configuration. # automatically load any existing configuration.
# We want to avoid the "invalid command" message. # We want to avoid the "invalid command" message.
open(my $saveout, ">&STDOUT"); open(my $saveout, ">&", "STDOUT");
open(STDOUT, '>/dev/null'); open(STDOUT, '>', '/dev/null');
eval { CPAN->ignore_this_error_message_from_bugzilla; }; eval { CPAN->ignore_this_error_message_from_bugzilla; };
undef $@; undef $@;
close(STDOUT); close(STDOUT);
......
...@@ -633,7 +633,7 @@ sub _update_old_charts { ...@@ -633,7 +633,7 @@ sub _update_old_charts {
($in_file =~ /\.orig$/i)); ($in_file =~ /\.orig$/i));
rename("$in_file", "$in_file.orig") or next; rename("$in_file", "$in_file.orig") or next;
open(IN, "$in_file.orig") or next; open(IN, "<", "$in_file.orig") or next;
open(OUT, '>', $in_file) or next; open(OUT, '>', $in_file) or next;
# Fields in the header # Fields in the header
......
...@@ -309,7 +309,7 @@ sub regenerate_stats { ...@@ -309,7 +309,7 @@ sub regenerate_stats {
return; return;
} }
if (open DATA, ">$file") { if (open DATA, ">", $file) {
my $fields = join('|', ('DATE', @statuses, @resolutions)); my $fields = join('|', ('DATE', @statuses, @resolutions));
my $product_name = $product->name; my $product_name = $product->name;
print DATA <<FIN; print DATA <<FIN;
......
...@@ -138,7 +138,7 @@ sub generate_chart { ...@@ -138,7 +138,7 @@ sub generate_chart {
my ($dir, $image_file, $product, $datasets) = @_; my ($dir, $image_file, $product, $datasets) = @_;
my $data_file = $dir . '/' . $product->id; my $data_file = $dir . '/' . $product->id;
if (! open FILE, $data_file) { if (!open(FILE, '<', $data_file)) {
ThrowCodeError('chart_data_not_generated', {'product' => $product}); ThrowCodeError('chart_data_not_generated', {'product' => $product});
} }
......
...@@ -27,7 +27,7 @@ print $cgi->header('application/xml'); ...@@ -27,7 +27,7 @@ print $cgi->header('application/xml');
# Get the contents of favicon.ico # Get the contents of favicon.ico
my $filename = bz_locations()->{'libpath'} . "/images/favicon.ico"; my $filename = bz_locations()->{'libpath'} . "/images/favicon.ico";
if (open(IN, $filename)) { if (open(IN, '<', $filename)) {
local $/; local $/;
binmode IN; binmode IN;
$vars->{'favicon'} = <IN>; $vars->{'favicon'} = <IN>;
......
...@@ -49,7 +49,7 @@ sub CreateImagemap { ...@@ -49,7 +49,7 @@ sub CreateImagemap {
my $map = "<map name=\"imagemap\">\n"; my $map = "<map name=\"imagemap\">\n";
my $default = ""; my $default = "";
open MAP, "<$mapfilename"; open MAP, "<", $mapfilename;
while(my $line = <MAP>) { while(my $line = <MAP>) {
if($line =~ /^default ([^ ]*)(.*)$/) { if($line =~ /^default ([^ ]*)(.*)$/) {
$default = qq{<area alt="" shape="default" href="$1">\n}; $default = qq{<area alt="" shape="default" href="$1">\n};
...@@ -258,7 +258,7 @@ if ($webdotbase =~ /^https?:/) { ...@@ -258,7 +258,7 @@ if ($webdotbase =~ /^https?:/) {
error => $! }); error => $! });
binmode $pngfh; binmode $pngfh;
open(DOT, "\"$webdotbase\" -Tpng $filename|"); open(DOT, '-|', "\"$webdotbase\" -Tpng $filename");
binmode DOT; binmode DOT;
print $pngfh $_ while <DOT>; print $pngfh $_ while <DOT>;
close DOT; close DOT;
...@@ -287,7 +287,7 @@ if ($webdotbase =~ /^https?:/) { ...@@ -287,7 +287,7 @@ if ($webdotbase =~ /^https?:/) {
error => $! }); error => $! });
binmode $mapfh; binmode $mapfh;
open(DOT, "\"$webdotbase\" -Tismap $filename|"); open(DOT, '-|', "\"$webdotbase\" -Tismap $filename");
binmode DOT; binmode DOT;
print $mapfh $_ while <DOT>; print $mapfh $_ while <DOT>;
close DOT; close DOT;
......
...@@ -40,7 +40,7 @@ my @pscmds = ('ps -eo comm,gid', 'ps -acxo command,gid', 'ps -acxo command,rgid' ...@@ -40,7 +40,7 @@ my @pscmds = ('ps -eo comm,gid', 'ps -acxo command,gid', 'ps -acxo command,rgid'
my $sgid = 0; my $sgid = 0;
if (!ON_WINDOWS) { if (!ON_WINDOWS) {
foreach my $pscmd (@pscmds) { foreach my $pscmd (@pscmds) {
open PH, "$pscmd 2>/dev/null |"; open PH, '-|', "$pscmd 2>/dev/null";
while (my $line = <PH>) { while (my $line = <PH>) {
if ($line =~ /^(?:\S*\/)?(?:httpd|apache?)2?\s+(\d+)$/) { if ($line =~ /^(?:\S*\/)?(?:httpd|apache?)2?\s+(\d+)$/) {
$sgid = $1 if $1 > $sgid; $sgid = $1 if $1 > $sgid;
...@@ -267,7 +267,7 @@ sub check_image { ...@@ -267,7 +267,7 @@ sub check_image {
sub create_file { sub create_file {
my ($filename, $content) = @_; my ($filename, $content) = @_;
open(FH, ">$filename") open(FH, ">", $filename)
or die "Failed to create $filename: $!\n"; or die "Failed to create $filename: $!\n";
binmode FH; binmode FH;
print FH $content; print FH $content;
...@@ -276,7 +276,7 @@ sub create_file { ...@@ -276,7 +276,7 @@ sub create_file {
sub read_file { sub read_file {
my ($filename) = @_; my ($filename) = @_;
open(FH, $filename) open(FH, '<', $filename)
or die "Failed to open $filename: $!\n"; or die "Failed to open $filename: $!\n";
binmode FH; binmode FH;
my $content = <FH>; my $content = <FH>;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment