Hide Forgot
This print statement in the mirror sub needs error checking: 118 binmode $fh; 119 $args->{data_callback} = sub { print {$fh} $_[0] }; 120 my $response = $self->request('GET', $url, $args); Otherwise there is a risk of silent data loss in case of a full disk. In addition, you should open the temporary file in safe manner (with O_EXCL). I don't know what kind of dependencies would be acceptable for HTTP::Tiny, so it is difficult to make suggestions here.
Created attachment 829631 [details] [PATCH] Croak on failed write into a file The mirror() method saves a document into a file. Any error while writing to the file, e.g. no disk space, was ignored. This patch fixes it by croaking on such I/O error. --- lib/HTTP/Tiny.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
Created attachment 829632 [details] [PATCH] Do not use already existing temporary files mirror() method tries to create a new temporary file as can be concluded by using random name. To prevent from from attacks, one has to make sure the file does not exist. This patch creates temporary files with O_CREAT|O_EXCL mode. --- lib/HTTP/Tiny.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
Patches submitted to upstream as: <https://github.com/chansen/p5-http-tiny/issues/32> <https://github.com/chansen/p5-http-tiny/issues/33>
Upstream accepted the exclusive-open patch. Upstream refused the check-print-error patch because Perl close() seems to report even previous errors. Although I think the patch is useful to abort network transfer right at local I/O error to safe network resources.