From patchwork Mon Mar 21 10:01:55 2005
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "C.Y.M" <syphir@syphir.sytes.net>
X-Patchwork-Id: 11813
Received: from dialup-4.246.105.142.dial1.sanjose1.level3.net
	([4.246.105.142]
	helo=nofear.bounceme.net) by www.linuxtv.org with esmtp (Exim 4.34)
	id 1DDJg3-0001w6-LT
	for vdr@linuxtv.org; Mon, 21 Mar 2005 10:58:28 +0100
Received: from [10.1.1.66] (hades [10.1.1.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by nofear.bounceme.net (Postfix) with ESMTP id 02BA67358A
	for <vdr@linuxtv.org>; Mon, 21 Mar 2005 01:58:35 -0800 (PST)
Message-ID: <423E9B93.2080808@syphir.sytes.net>
Date: Mon, 21 Mar 2005 02:01:55 -0800
From: "C.Y.M" <syphir@syphir.sytes.net>
Organization: CooLNeT
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Vdr <vdr@linuxtv.org>
X-Enigmail-Version: 0.90.2.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Subject: [vdr] security patch for vdradmin-0.97-am1
X-BeenThere: vdr@linuxtv.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: syphir@syphir.sytes.net, Klaus Schmidinger's VDR <vdr@linuxtv.org>
List-Id: Klaus Schmidinger's VDR <vdr.linuxtv.org>
List-Unsubscribe: <http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=unsubscribe>
List-Archive: <http://www.linuxtv.org/pipermail/vdr>
List-Post: <mailto:vdr@linuxtv.org>
List-Help: <mailto:vdr-request@linuxtv.org?subject=help>
List-Subscribe: <http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2005 09:58:29 -0000
Status: O
X-Status: 
X-Keywords: 
X-UID: 907

I noticed the following patch was missing from vdradmin-0.97-am1.

Regards,

--- vdradmin/vdradmind.pl.orig	2005-03-21 01:05:27.000000000 -0800
+++ vdradmin/vdradmind.pl	2005-03-21 01:08:07.000000000 -0800
@@ -32,6 +32,8 @@
 	unshift(@INC, $BASENAME . "lib/");
 }
 
+require File::Temp;
+
 use CGI qw(:no_debug);
 use IO::Socket;
 use HTML::Template::Expr();
@@ -39,6 +41,7 @@
 use Time::Local qw(timelocal);
 use POSIX ":sys_wait_h", qw(strftime mktime);
 use MIME::Base64();
+use File::Temp();
 
 $SIG{CHLD} = sub { wait };
 
@@ -704,7 +707,7 @@
 
 sub GZip {
 	my $content = shift;
-  my $filename = "/tmp/vdradmin." . time();
+  my $filename = new File::Temp("vdradmin-XXXXX", UNLINK => 1);
   open(PIPE, "| gzip -9 - > $filename") || die "cant open pipe to gzip ($!)";
   print PIPE $$content;
   close(PIPE);
@@ -3739,7 +3742,7 @@
 #############################################################################
 sub grab_picture {
 	my $size = $q->param("size");
-	my $file = "/tmp/vdr.jpg";
+	my $file = new File::Temp("vdr-XXXXX", UNLINK => 1, SUFFIX => ".jpg");
 	my $maxwidth = 768;
 	my $maxheight = 576;
 	my($width, $height);