I have code in a CPAN module I maintain that tests fine on all but a few CPAN test runners. I haven't figured out what the runners that fail have in common other than being the owned by the same person, and not all of that person's runners. I cannot reproduce the error on any platform I have tried, including trying to match anything about the test runner that is included in the CPAN test report.

Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542

The line number in the error message indicates that it is running File::Temp version 0.2311 (the latest) or 0.2310, as they are the only versions with the mkdir call being on exactly line 542. I looked through File::Temp github history.

The failing test runners have various older versions of perl, but so do many of the many more test machines that don't fail, and I used plenv on my test machine to check for that.

The call to tempdir specifies DIR="log" so it is not referencing whatever is set up for the system temp storage. (see code below)

As an example, here is one of the failing CPAN test reports
A cpantesters test report

Here are the lines of code that I think are involved, including my attempt in the above example to make absolutely sure that what gets passed to File::Temp::tempdir is untainted. In every case the call to sa_t_init is passed a string literal, e.g., sa_t_init("footest"), but for this testing I added the $tname=untaint_var($tname) to see if it would help. It didn't.

This is the only call to File::Temp::tempdir that is called in all the failing tests, so I am certain it is the line that is involved.

use File::Temp qw(tempdir);
sub sa_t_init {
  my $tname = shift;
  $tname = untaint_var($tname);
...
  unless (-d "log") {
    mkdir ("log", 0755) or die ("Error creating log dir: $!");
  }
  chmod (0755, "log"); # in case already exists with wrong permissions
...
 $workdir = tempdir("$tname.XXXXXX", DIR => "log");

# Simple version of untaint_var for internal use
sub untaint_var {
  local($1);
  $_[0] =~ /^(.*)\z/s;
  return $1;
}

[download]

Can anyone think of a set of circumstances that could result in this call to tempdir getting an insecure dependency in mkdir, when most times it does not? Is there some way that mkdir can think that the representation of the current directory is tainted and so fail trying to mkdir in the current directory?

In reply to Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 by sidney

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.