That's what I thought, but in the File::Temp documentation:
- WARNING
- For maximum security, endeavour always to avoid ever
looking at, touching, or even imputing the existence of
the filename. You do not know that that filename is
connected to the same file as the handle you have, and
attempts to check this can only trigger more race
conditions. It's far more secure to use the filehandle
alone and dispense with the filename altogether.
| [reply] |
Yes, that is correct, if the file was made in a directory which is world writeable (like most temp directories) and does not have the sticky bit set (unlike most temp directories) then someone can come along and delete the file and make a new one in its place with the same name. While we're on the subject, one practice, which I consider good form in general (but which may not work for you, since you want the file avaiable via www), is to create a ~/tmp with 700 permissions and create all temp files in there, this prevents all of the /tmp race condition security bugs that have cropped up in the past and will surely crop up in the future (it still does not prevent a race condition, two copies of your program could both generate the same filename before either of them opened it, but it prevents someone from symlinking the file to /etc/passwd or creating and opening it first). Anyways, back to your problem: since you are publishing the files via www, I assume that they are being put in a directory which is writeable only by you, if this is the case then you do not need to worry about anyone deleting the file, people will probably be able to read the file but I don't think that is a big problem since you're making it available via the www and someone could just fetch it via the www rather than the local filesystem if they could predict the filename, though a brute force guess would be much slower via www.
| [reply] |