Skip Menu |
 

This queue is for tickets about the Perl-Tidy CPAN distribution.

Report information
The Basics
Id: 128477
Status: open
Priority: 0/
Queue: Perl-Tidy

People
Owner: perltidy [...] users.sourceforge.net
Requestors: tlhackque [...] yahoo.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



MIME-Version: 1.0
X-Ymail-Osg: 9JWPWekVM1nwooP1P0J8qm6C_tuIitmtJ18nY.Sp57jgOWjwL2oe3Z0QjDogyYz cfOLfSErWv_hBu.8P0gGR8.4GCo4Q29F8phTwns8DfaTXG3oncxvQb44IyvW.DrmdXGtYBY3WGPi 35m5GJA.b.9R3gg8JVw1rljCxga3zGIh2YRWQW97jWwEK9bOmAjUPmFviXNQR3zSxw9eIJCyz.L_ 7U2w1UvE91Gjlm.0pc3LAba21.Cg06GDylAxTy7nVusoag1XSfq_LJD036AfG9ioqR3oaHj1Z65V zhYYOyMj6zpcNSJBVsfmERZEmrbz1SHNKhtnMETCE5EuCNA_XpXXsEmTYI3CQd7q7L9VeEroNXrL xKrJ8nq34a75J1ySHUL_k7ndI6Rtnxkulrt3Hon1Qideu5nkW6pI8CovUpUrLCiZuNVBZ5XEZcSp oKelYmkGmLJgIdt.q7yfHttxXEctM2SqoznKfFJQ2s0HGwvu26YacayWeXAWDhkiLqipbn6CvcHx lCxp1Lnarl6mSGf_DD35rJ0FTUbLgSASxBbPabkTMpPQ1Gg9xnd.7y6FFsDl2WJI4ZNKpFc41juf 49a5b7BISi2OibqgP7KuEebInX2oUU0y7cmTrFOLiusxa6FhJV_TNNfA40G3CQQC3VgZDcVSPmpg J2U4CcqzC0kaZkocFhWho4Y4suPAfqlKKWUJFgJKBJnreuckZDRpx0M8l91GDN1OpXFztwrtEY9C dy.QLXR.fYdhmcs.pbne5XDeq.wTqz1.V9tnuXFKJ0ZW6TsJelNU04mDEnaDuFFNn9VcPGnyI62p Mw8k5cKeqI8VckHczSE9dZpT5jIVDhsd2joXWcH0ARWk3dpyGHnjecAeMaFHgNZfZYYWiULWTcWY do73efceRpWGkTXYnAgqQDfkwzyy3Omh3Og8WgZVLCnBT5M6dDbvcQbxrfjIMiIGHRDF_lmGw0iO xM4OhoUrORoyyDQmQU6x0kNC8lXHXSUU8uMk7LueKaauNzPpD4KHnGAcZot7LsSfYaAAmXRjaT18 kXfMi5MwOFrZWr.nwKtoDgttFU4zI3euEk8AcEA--
X-Spam-Status: No, score=0.411 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_YAHOO_RCVD=1.63, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no
X-Cpan.org: This message routed through the cpan.org mail forwarding service. Please use PAUSE pause.perl.org to configure your delivery settings.
X-Spam-Flag: NO
Content-Language: en-US
Content-Type: multipart/alternative; boundary="------------090C1980AD16F2F38078FBBA"
Message-ID: <0fbff53f-02b0-9f6b-7dcd-00f50dc1c190 [...] yahoo.com>
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Autocrypt: addr=tlhackque [...] yahoo.com; prefer-encrypt=mutual; keydata= mQINBFaj1ckBEADJXt3e995VS2xGluquNDnxCt1eROGmRPrPhi8l+cphv85Ur/GenVmmNXoo ve2+3NJF94uFNzBfxbBvQcwNdckbgyudVpSgGROi1dMRIhVLIgG6I8OWxIlevZo9pL25UCIX avRtvgRBdy79noUG3HKAq68nre7UKJswGhYgIunKGdYYOdloa5n+3Y7ml9FSt9mOoTOgQhF2 4H/yEqh0rVrCAA+nX7mFWh0aY3/BM4tg5GkhuA5uP0ic5Qj/GT7apgQlPh+72ZbkGVugV10w X6iSmHW9fyJvLKNsVyU7tHnBt1dxnX1DK319v3ddc6oLsO1pf4MNBd3pP6/X6aVotG/e/ZgP IQ9sx68Ph6GtxUJWdcY+Be+eeUOf+CekXVqlso6OH0hu9ud2Jy1DKAXFg4Xie04MHc7AhfHz XwJS8E73cazTDLlwnqLicqBdFL1htgHICo6735Y6Ykr0GYzA2+Ypy7LtN5n4FnM6N+ePXAwt oTmOhX6hbUApeDUgFvnSfTxyyar2PpavTQCwtKemJ0M0CglgXmvK95F2qyuRK4QZoN2eXZky z8Qfobh13rk1I+L0LHQhfolVP94KHtUXK1qjnufU3oOx8lvvibqwxfzDzIMxhP6qWzOqWzRy lCVoatLUbWvv0ICZ3eITcXpAQIPY2vFrv8DniuyVkQNBSKyZEwARAQABtB90bGhhY2txdWUg PHRsaGFja3F1ZUB5YWhvby5jb20+iQI/BBMBAgApBQJWo9XJAhsjBQkJZgGABwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AACgkQ3PhOoB301mYw4Q//dzIWDIASuafhDfzAU6riXjwGNVGl kp3SmkAwpJ191vEvuJ2nFgKKhaiGXThmZALB0pXeOsMIX/HnqJ6Grnpx2etuYsGYcVpRg2uT JxdKD7rT6YsgSP7Rafs7nplps1rM83X7oeuP1M2AgY2QJCG1YUGQeb9ZkD5xO/LNNG66l5VR dw7K4URoMKn7gNRA842jKUxXpPOn32HqAguW4uCb7UX4oz3wLyTWlHTMSHs62mLPyh9cjekQ 9GwlYhc0/HJvI3m+eGJuDc6Iqk8vCzIHKxj0IJU5mlVlth/Mf5RrQW8xkJE3JUPui4HXjOzQ C7MEmTk5cmrhpG0YweD8zSE+Pw9Z2dQrtNkNmuwDwuieDOBhEX5VebZQBB1TiLzldBOTLMTU x0tF9QOHAlLnRa88QEgIhvfEcVcpwH0/GlLwKNgpaTPFp5iOcz2a3uKv/MRR8L2jSvBApbOL W6rTYj210EXEpQQdxIiOAujacNhz7cKDe1Ybc77OgvpshrT/NtGMU8TSqLpzzVNYJNQb3DXx s3cqwa4SHqGDdQ0rTiw8S5ArH+eG9klI1MMM6iKfqWamKfKsI+GORc8Vu8gdGfuY4oZRvYhg yl9v6hrKkcwjgAlti0WIGWUgg/vT9jYd24TaSVZz6cuGMG3gfwNdupxrgzs6A2abRjsecn40 P1KEcDi5Ag0EVqPVyQEQAM9b8bOGIy4+/Ldbr5vIxfavW4IfNeoJyHpKnksXQvfoWQnKceH+ xM0n7rCFdWdisFR2ow2J1OsXgrv4RMEJSWCGfEQe22B1XdsP9EqBv9ijoA143K7OTWgTlW7p rBA4VVwRo6UkJy+1ngW+diQVU9XQiq5A4RnxtVtUC8erW3UyFapM/EeyA8eAvlYsaGV6QSpr 3SAE+DzPz6HY4j2Vvhaul/ursNJybv36Jja6EOzzf2CpL+gQJTPy8T8Ze/GeUTRIcLKnSKAb w6+JMGlfyRPK+Ey139J154jgGqpiaQk/dSMW2bdGYH8fDD6lfWGrS42KCQwG/+yeO/tCq4+p ztYA4NWh/ZZ2MCQ1pFiogmsf5zbgOAnEyfoH8WNDI47PQu68Z2YUdKt3P0QGeqcz2mw31j/6 3w/qIi142Clr/iflRfaPkCz1ZdEli/7p/Rzv4mJDubWrSucBHKC4SkY/e/OHfqcD4vcrgAoS 7bBgOXQjjzMqES1WhijzaKuawUYmLMpLS1hvfEFoo5XOrEHYUkS1K52gb6M1jIT7FGcnR4F3 uPBQd2AI5hg0zOzxO84MmqFm0x7Utq4PGqnmSxVjUaDyjrchlpa8GH9d83R82zbP/8QVLN8N IyOctCXq65mF8nFHBkasdz9ZqLtgi/r9kRfax2wNoXzL05yi1LoyxqDnABEBAAGJAiUEGAEC AA8FAlaj1ckCGwwFCQlmAYAACgkQ3PhOoB301maXXhAAhrRy4VjuETi5tNTvMx/+JhnPG2/6 y+JrmsYkFBudmAnQT7dl46vTnOJ+laYSXp+F9g1DFvW/9PEdIMJ+PzIGH5/ySJOTRRJH14N8 Kh9ocArVUg4qU2v2Wcr8kSMw4Tnnzj/97t5hUWB7/2qEgm+NbM7TyNaUBK/2n3NGK2idh/N5 S7LaFVBCjGiSRL75hZPuVQs7uicmoOCscr58QNt5Ls2wFaYVdFNj0eYAeIat8QbMOUR1JRxq wkVelrfdNfwNVzn+FuWhDy4nSgtkNWca9eKbHQf2Ax0ec9X3fsygo4X4qnKES9G/9W9mIhr/ SjuQLWW+29FNzSYJcYKyZdWuCp2ujYZYU3QNqCf+0dF8sGDvNglf9GVGWavJRjihZzMSaXQn QLt3lKwtXCgIUVyIOwMWy8Kuz0rYZxcQitBPmJZnrRhq+AZErVUF3gS9XTNwOmIkfrT6OJ5Q xd/GbOjYQPMWZro52eT065O479xqI5RoMVXL4L9RxTAGIo0GTrskAcxWKKPporjsPefIloaF 4o/XxYqewUaBRaNF8Egz6wYXJ7BBlocMBKj8e7Xgcx5GE4ES3vM7FxIEvUTY8typVkSKjg4g STUnuJYX6MAOeEwzm6HDfmkHg2nOjimtScEQp2Q2wx6MNhzCk2gQ/BKbCZDq1aGDJgHWj6dI ac+yVWI=
X-Spam-Score: 0.411
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id D5BA824021F for <cpan-bug+Perl-Tidy [...] hipster.bestpractical.com>; Mon, 11 Feb 2019 14:15:42 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zvDDC1v2EHk for <cpan-bug+Perl-Tidy [...] hipster.bestpractical.com>; Mon, 11 Feb 2019 14:15:42 -0500 (EST)
Received: from xx1.develooper.com (xx1.develooper.com [207.171.7.115]) by hipster.bestpractical.com (Postfix) with ESMTPS id 748C02400E0 for <bug-Perl-Tidy [...] rt.cpan.org>; Mon, 11 Feb 2019 14:15:41 -0500 (EST)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 1B28A7CED0 for <bug-Perl-Tidy [...] rt.cpan.org>; Mon, 11 Feb 2019 11:15:40 -0800 (PST)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 8BCD67C0DD for <bug-Perl-Tidy [...] rt.cpan.org>; Mon, 11 Feb 2019 11:15:38 -0800 (PST)
Received: from sonic314-21.consmr.mail.ne1.yahoo.com (sonic314-21.consmr.mail.ne1.yahoo.com [66.163.189.147]) by xx1.develooper.com (Postfix) with ESMTP id 0ECCB7C1C5 for <bug-Perl-Tidy [...] rt.cpan.org>; Mon, 11 Feb 2019 11:15:37 -0800 (PST)
Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Mon, 11 Feb 2019 19:15:36 +0000
Received: from vvv.v4.litts.net (EHLO [192.168.148.110]) ([96.233.62.62]) by smtp410.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID bbdc08cb331763ace3e065778c675191 for <bug-Perl-Tidy [...] rt.cpan.org>; Mon, 11 Feb 2019 19:15:31 +0000 (UTC)
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] yahoo.com
Delivered-To: cpan-bug+Perl-Tidy [...] hipster.bestpractical.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
Subject: File ownership not preserved
Return-Path: <tlhackque [...] yahoo.com>
X-RT-Mail-Extension: perl-tidy
X-Original-To: cpan-bug+Perl-Tidy [...] hipster.bestpractical.com
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1549912536; bh=ROw1436YeN07K76HscE3ofQlmd2f9yo7IonL5I3dm5Y=; h=To:From:Subject:Date:From:Subject; b=cXTQsG7o3TbQhRRPvyYDBztAgTLzxm/N0Aka4xXzAfKAT3VI5SlU4Pel1mixNJY4N8zHlnkeIcQRc9CWfydzBmwqnPudleFEYApIXMgHY0z+dOuAcGWS6GCK/Ej5pBU5xx1WxfYdfh4rzs6OuVer50ieosL+evPfGuE4QkuQvFpVUhQX1BRQQGE8fY8Y9gGtbuY6x7lM4laZwB0a2ZN3fDT03n5HGzchl6BoJTbF4c1mAkTP1ijRRsfKrqKpz5DufgBoXYc6kSheZb6ESJExrxynDNAktmREnzk/0ZhEhVJ+yHT2LjncSoHK6EaYzx3Ml/IRy1E8dz6o3DAwcoi+Nw==
Openpgp: preference=signencrypt
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' HTML_NO_HTTP 0.1, FROM_NAME_ONE_WORD 0.05, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_5000_5999 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, DKIM_ALIGNS 0, DKIM_SIGNATURE 0, NO_CTA_URI_FOUND 0, NO_URI_FOUND 0, NO_URI_HTTPS 0, SPF_PASS 0, WEBMAIL_SOURCE 0, __BAT_BOUNDARY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __DKIM_ALIGNS_1 0, __DKIM_ALIGNS_2 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_YAHOO 0, __FUR_RDNS_YAHOO 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HELO_YAHOO 0, __INVOICE_MULTILINGUAL 0, __MIME_HTML 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MOZILLA_USER_AGENT 0, __PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_SUBJ_SUBJECT 0, __RDNS_WEBMAIL 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TAG_EXISTS_HTML 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __USER_AGENT 0, __zen.spamhaus.org_ERROR '
Date: Mon, 11 Feb 2019 14:15:30 -0500
X-Spam-Level:
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2019.2.11.190617
To: bug-Perl-Tidy [...] rt.cpan.org
From: tlhackque <tlhackque [...] yahoo.com>
X-RT-Interface: Email
Content-Length: 0
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 2025
Download (untitled) / with headers
text/plain 1.9k
It seems that perltidy preserves permissions, but not ownership.  This is a (potential security) problem with suid/sgid scripts. E.g.  (this is Linux) #  perltidy --version This is perltidy, v20181120 # ls -l pdft -rwsr-sr-x 1 noreply noreply 27280 Feb 11 12:46 pdft # perltidy -b pdft # ls -l pdft -rwsr-sr-x 1 root devel 26712 Feb 11 13:46 pdft In this case, the working directory is g+s to 'devel' Note that the permissions were retained, but the *ownership* (both user and group) changed. This is not good; running the script would setuid and setgid to the wrong users! User 'noreply', Group 'noreply' were intended; 'root', 'devel' are the result. That's a potential security issue... when the developer tests the reformatted code, and even when the script ships. There are some choices for how to fix: a) don't preserve the setuid/setgid bits b) attempt to change file ownership; if that fails, see (a) c) don't preserve permissions at all (b) seems like the right choice.  (a) is safe, but annoying.  (c) would be a regression. Note that the perltidy user may not have permission to change ownership (on most systems you need to be the superuser to change owner; changing groups is less constrained), so blindly changing it would be a mistake.  (always check return codes; the current chmod does not.)  But it's pretty easy to make the attempt, then compare input file with output - clear the setxid bits if ownership doesn't match. (It might match by default, inheritance, or if you do an explicit chown.)  You only need to clear setuid if uid mismatches; likewise clear setgid if gid mismatches. See Tidy.pm line 1328 in the current release.  The logic there adds u+rw, which seems like a hack. Also, consider passing the output file handle to chcon & chown(avoids any races). What to do about ACLs and/or security contexts is left as an opportunity for the reader...  They would seem to have similar issues - but they ought to inherit, and are more platform-specific. Thanks.
content-type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Content-Length: 2705
MIME-Version: 1.0
In-Reply-To: <0fbff53f-02b0-9f6b-7dcd-00f50dc1c190 [...] yahoo.com>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <0fbff53f-02b0-9f6b-7dcd-00f50dc1c190 [...] yahoo.com>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-7289-1550416626-1288.128477-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 48
Thanks, I'll fix that in the next release. Steve
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-7289-1550416626-1288.128477-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <0fbff53f-02b0-9f6b-7dcd-00f50dc1c190 [...] yahoo.com> <rt-4.0.18-7289-1550416626-1288.128477-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-8416-1550417037-1363.128477-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 170
Download (untitled) / with headers
text/plain 170b
On Sun Feb 17 10:17:06 2019, SHANCOCK wrote: Show quoted text
> Thanks, I'll fix that in the next release. Steve
I forgot to add that this problem is specific to when -b option is used.
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-8416-1550417037-1363.128477-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <0fbff53f-02b0-9f6b-7dcd-00f50dc1c190 [...] yahoo.com> <rt-4.0.18-7289-1550416626-1288.128477-0-0 [...] rt.cpan.org> <rt-4.0.18-8416-1550417037-1363.128477-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-6612-1559398201-1996.128477-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 94
setuid/setgid are consistent with file ownership in v20190601. I will leave this ticket open.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.