file mode

[tokuhirom]

Created temporary file is world readable. It cause security issue.

$ perl6-m -e 'use File::Temp; my ($fname, $fh) = tempfile(); run "ls", "-l", $fname'
-rw-rw-r--. 1 tokuhirom tokuhirom 0 Oct 14 11:04 /tmp/v0lP7DvWlc

Perl5's code is readable by owner only.

$ perl -e 'use File::Temp qw/tempfile/; my ($fh, $fname) = tempfile(); system "ls", "-l", $fname'
-rw-------. 1 tokuhirom tokuhirom 0 Oct 14 11:05 /tmp/1qtbZFwofM

[rudis]

Seconded too. Secure defaults are very important, please change it.

[perlpilot]

Fixed for both files and directories in 7852c8d6e7536463f3e438d9753415d7018e2253

[rudis]

The commit contains a race condition and doesn't fix the bug. If the file is opened before the chmod, an attacker can still read the file contents even after the chmod.

To prevent the race condition please use the $mode argument for open() and mkdir(). If you like I can write a patch.

[zoffixznet]

@rudis any word on the patch? I can submit a fix, if you're busy.

[zoffixznet]

Looking at this 1 year later, I don't really see the race condition. The mode is set before the file is given to the user. Also, open doesn't have a mode argument.

EDIT: ah, OK, the race could let the attacker write crap into it, though doesn't look like this is solvable with Perl 6 IO at the moment.