Bug#367711: perl-modules: CGI.pm $TMPDIRECTORY heuristics is trying to be too smart and fails on uid change

Niko Tyni ntyni at debian.org
Sat Nov 6 05:44:46 UTC 2010 

tag 367711 patch
forwarded 367711 http://rt.cpan.org/Public/Bug/Display.html?id=62762
reassign 367711 libcgi-pm-perl 3.49-1
thanks

On Wed, May 17, 2006 at 09:57:37PM +0200, Peter Gervai wrote:
> Package: perl-modules
> Version: 5.8.8-4
> Severity: normal

Thanks for the report and sorry about the lack of action on this bug. 
 
> CGI.pm uses a temp dir for uploads. It does not make it possible to force it
> (apart from changing the source), or set it explicitely, but uses a heuristics
> to walk several hardwired dirs and use the first which is writable.
> 
> This actually breaks programs which preload CGI when apache2 starts (runs at uid 0 because
> there is no user [suexec] at that time, so everything is writable), and later find
> out that suexec'ed uid cannot write the dir, an CGI.pm fails with a cryptic error msg. 
> 
> Heuristics is a good thing, but there should be a way to override it without
> changing the source, like other options allow.

As far as I can see, $ENV{TMPDIR} was and still is documented to override
the hardwired dirs (except ~/tmp, which isn't really used and seems to
be a documentation bug.)

There's also code that checks for writability at run time and tries to
recalculate the temp dir if necessary. Unfortunately that seems to have
been broken since 3.12 (Perl 5.8.8 had 3.15), which added undocumented
support for setting $CGITempFile::TMPDIRECTORY before loading the module.

I agree the error message could be better.

I've reported this upstream with the attached suggested patch, see
 http://rt.cpan.org/Public/Bug/Display.html?id=62762 

I'm reassigning this against the separate libcgi-pm-perl package, which
contains a newer version of CGI.pm as the one shipped with Perl. This
way you'll get notified as soon as the fix gets in Debian. Unfortunately
I doubt this will happen for the next release (Squeeze), as we are
very close to a release now and these kind of changes aren't allowed
in anymore.

(@pkg-perl: I suggest avoiding non-upstreamed fixes with dual lived
modules even more than usual, as there's the danger of the core version
and the separate package getting out of sync.)
-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list