perl-GRID-Machine-0.127-alt5.noarch	unsafe-tmp-usage-in-scripts	info	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/syntaxerr.pl: $ grep /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/syntaxerr.pl my $remote_uname = $machine->eval( "uname()" )->results; print "@$remote_uname\n"; # We can pass arguments $machine->eval( q{ open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE; }, "Hello, world!" ); read_all => q{ #line 25 err1.pl my $filename = shift; my $FILE; local $/ ) undef; # line X1 <-- error!!! open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; }, ); die $result->errmsg unless $result->type eq 'OK'; my @files = $machine->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { # Remote call: an GRID::Machine::Result object is returned my $content = $machine->read_all($file )->result; print "$content\n"; } Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebaetsii.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebaetsii.pl $ips->eval( "use POSIX qw( uname )" ); my @remote_uname = $ips->eval( "uname()" ); print "@remote_uname\n"; # We can pass arguments $ips->eval( "open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE;", "Hello, world!" ); # We can pre-compile stored procedures $ips->store( "slurp_file", <<'EOS' my $filename = shift; my $FILE; local $/ = undef; open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; EOS ); my @files = $ips->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { print "$file:\n**************\n"; my $content = $ips->call( "slurp_file", $file ); print "$content\n"; } Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebacommandarray.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebacommandarray.pl $ips->eval( "use POSIX qw( uname )" ); my @remote_uname = $ips->eval( "uname()" ); print "@remote_uname\n"; # We can pass arguments $ips->eval( "open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE;", "Hello, world!" ); # We can pre-compile stored procedures $ips->store( "slurp_file", <<'EOS' my $filename = shift; my $FILE; local $/ = undef; open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; EOS ); my @files = $ips->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { my $content = $ips->call( "slurp_file", $file ); print "$content\n"; } Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebacommand.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/pruebacommand.pl $ips->eval( "use POSIX qw( uname )" ); my @remote_uname = $ips->eval( "uname()" ); print "@remote_uname\n"; # We can pass arguments $ips->eval( "open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE;", "Hello, world!" ); $ips->eval('use vars qw($c $f %d)'); $ips->eval('$a = [4..9]; $c = {a=>1, b=>2}; %d = (d=>9, e=>11)'); -- # We can pre-compile stored procedures $ips->store( "slurp_file", <<'EOS' my $filename = shift; my $FILE; local $/ = undef; open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; EOS ); -- #print $ips->dump('$f'); my $f = $ips->eval('Mipaquete::triple(4)'); print "triple de 4: $f\n"; my @files = $ips->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { my $content = $ips->call( "slurp_file", $file ); print "$file:\n********************\n$content\n"; } Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/prueba.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/prueba.pl my $remote_uname = $m->eval( "uname()" )->results; print "@$remote_uname\n"; # We can pass arguments $m->eval( q{ open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE; }, "Hello, world!" ); -- # We can pre-compile stored procedures $m->compile( slurp_file => q{ my $filename = shift; my $FILE; local $/ = undef; open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; } ); my @files = $m->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { my $content = $m->call( "slurp_file", $file ); print $content->result."\n"; } Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/pipes.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/pipes.pl my $machine = shift || 'orion.pcg.ull.es'; my $m = GRID::Machine->new( host => $machine ); my $i; my $f = $m->open('| sort -n > /tmp/sorted.txt'); for($i=10; $i>=0;$i--) { $f->print("$i\n") } $f->close(); my $g = $m->open('/tmp/sorted.txt'); print while <$g>; Found error in /usr/share/doc/perl-GRID-Machine-0.127/examples/bind.pl: $ grep -A5 -B5 /tmp/ /usr/share/doc/perl-GRID-Machine-0.127/examples/bind.pl my $remote_uname = $machine->eval( "uname()" )->results; print "@$remote_uname\n"; # We can pass arguments $machine->eval( q{ open FILE, '> /tmp/foo.txt'; print FILE shift; close FILE; }, "Hello, world!" ); -- read_all => q{ #line __LINE__ __FILE__ my $filename = shift; my $FILE; local $/ = undef; open $FILE, "< /tmp/foo.txt"; $_ = <$FILE>; close $FILE; return $_; }, ); my @files = $machine->eval('glob("/tmp/*.txt")'); foreach my $file ( @files ) { # Remote call: an GRID::Machine::Result object is returned my $content = $machine->read_all($file )->result; print "$content\n"; };