unexpected warning: Use of -l on filehandle at .../Path/Tiny.pm line 291. about path-tiny HOT 4 CLOSED

Appears to have been introduced by 025d72a (defend iterator against symlink attack). Possibly the following patch implements what was intended correctly:

diff --git a/lib/Path/Tiny.pm b/lib/Path/Tiny.pm
index 6ae2e32..85d8633 100644
--- a/lib/Path/Tiny.pm
+++ b/lib/Path/Tiny.pm
@@ -512,7 +512,7 @@ sub iterator {
                 opendir( $dh, $current->[PATH] )
                     or _throw( 'opendir', [$dh, $current->[PATH]] );
                 $dirs[0] = $dh;
-                if ( -l $dirs[0] && ! $args->{follow_symlinks} ) {
+                if ( -l $current->[PATH] && ! $args->{follow_symlinks} ) {
                     # Symlink attack! It was a real dir, but is now a symlink!
                     # N.B. we check *after* opendir so we don't have a race
                     shift @dirs and next;

from path-tiny.

Thanks for the bug report. I didn't see anything in the docs that
suggested it wouldn't work (and I didn't get any warnings in testing, which
is odd).

Your "fix" might be the best alternative. There is still a race condition
in there, but harder to attack, since it would require someone to swap a
symlink for a dir (before the opendir) and then swap it back (before the
path check).

And if there's no way for the OS to know if an open handle came from a
symlink at all, then the point is moot, I guess.

David

David Golden [email protected]
Take back your inbox! → http://www.bunchmail.com/
Twitter/IRC: @xdg

from path-tiny.

Strange. That warning disappeared in 5.16.

I've fixed it per your suggestion and shipped 0.019.

from path-tiny.

Thanks for the quick response.

from path-tiny.