Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 106295
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: BBYRD [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Stop using file tests like -r
Download (untitled) / with headers
text/plain 334b
https://metacpan.org/source/IO::Socket::SSL#L2075 There are checks like "-r _", but these won't work on filesystems that use ACLs. The 'filetest' pragma addresses these, but it also points out that the permissions could very well change as the process is running. Better to just take this code out and autodie on open/read failure.
Download (untitled) / with headers
text/plain 1.4k
On Fri Aug 07 16:48:07 2015, BBYRD wrote: Show quoted text
> https://metacpan.org/source/IO::Socket::SSL#L2075 > > There are checks like "-r _", but these won't work on filesystems that > use ACLs. The 'filetest' pragma addresses these, but it also points > out that the permissions could very well change as the process is > running. > > Better to just take this code out and autodie on open/read failure.
Thanks for reporting the problem. I've removed the -r for checks of SSL_key_file and SSL_cert_file but I've kept these checks for SSL_ca_file and SSL_ca_path. The problem these checks address is that one does not get any immediate information from OpenSSL if the CA path/file is not usable and one might get error messages later if the verification is attempted or it might simply fail the validation. Thus these checks are an important part of the usability because they provide a clear error message if the specified path/dir for the CA certificates can not be used. I'm aware that there is a race between time of check and time of use but this race is not security relevant and will not happen in almost all cases. Unfortunately I'm not able to use the proposed filetest pragma because it is only available with recent versions of Perl and I still aim to support old versions like Perl 5.8.9 too. This would be true for autodie too but in this case autodie would not be even applicable because the open of files is done with the OpenSSL library and thus autodie would have no effect.
Download (untitled) / with headers
text/plain 553b
On Sun Aug 23 15:27:11 2015, SULLR wrote: Show quoted text
> > Unfortunately I'm not able to use the proposed filetest pragma because it is only available with > recent versions of Perl and I still aim to support old versions like Perl 5.8.9 too. This would > be true for autodie too but in this case autodie would not be even applicable because the open > of files is done with the OpenSSL library and thus autodie would have no effect.
If you can't use filetest or autodie, then you should just try a real open and check the status. That's the only way to be sure.
Download (untitled) / with headers
text/plain 309b
Show quoted text
> If you can't use filetest or autodie, then you should just try a real > open and check the status. That's the only way to be sure.
You are right. I know check with open/opendir if the file/path can be accessed. https://github.com/noxxi/p5-io-socket-ssl/commit/421ac8edbe535881d5927f9fe3ccc9206fc61556


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.