1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
--- perl-5.8.4.orig/lib/File/Path.pm
+++ perl-5.8.4/lib/File/Path.pm
@@ -72,27 +72,17 @@
=item *
-a boolean value, which if TRUE will cause C<rmtree> to
-skip any files to which you do not have delete access
-(if running under VMS) or write access (if running
-under another OS). This will change in the future when
-a criterion for 'delete permission' under OSs other
-than VMS is settled. (defaults to FALSE)
+a boolean value, which if FALSE (the default for non-root users) will
+cause C<rmtree> to adjust the mode of directories (if required) prior
+to attempting to remove the contents. Note that on interruption or
+failure of C<rmtree>, directories may be left with more permissive
+modes for the owner.
=back
It returns the number of files successfully deleted. Symlinks are
simply deleted and not followed.
-B<NOTE:> If the third parameter is not TRUE, C<rmtree> is B<unsecure>
-in the face of failure or interruption. Files and directories which
-were not deleted may be left with permissions reset to allow world
-read and write access. Note also that the occurrence of errors in
-rmtree can be determined I<only> by trapping diagnostic messages
-using C<$SIG{__WARN__}>; it is not apparent from the return value.
-Therefore, you must be extremely careful about using C<rmtree($foo,$bar,0)>
-in situations where security is an issue.
-
=head1 DIAGNOSTICS
=over 4
@@ -118,6 +108,7 @@
use Exporter ();
use strict;
use warnings;
+use Cwd 'getcwd';
our $VERSION = "1.06";
our @ISA = qw( Exporter );
@@ -166,111 +157,133 @@
@created;
}
-sub rmtree {
- my($roots, $verbose, $safe) = @_;
- my(@files);
- my($count) = 0;
- $verbose ||= 0;
- $safe ||= 0;
-
- if ( defined($roots) && length($roots) ) {
- $roots = [$roots] unless ref $roots;
- }
- else {
- carp "No root path(s) specified\n";
- return 0;
- }
-
- my($root);
- foreach $root (@{$roots}) {
- if ($Is_MacOS) {
- $root = ":$root" if $root !~ /:/;
- $root =~ s#([^:])\z#$1:#;
- } else {
- $root =~ s#/\z##;
+sub _rmtree;
+sub _rmtree
+{
+ my ($path, $prefix, $up, $up_dev, $up_ino, $verbose, $safe) = @_;
+
+ my ($dev, $ino) = lstat $path or do {
+ carp "Can't stat $prefix$path ($!)" unless $!{ENOENT};
+ return 0;
+ };
+
+ unless (-d _)
+ {
+ print "unlink $prefix$path\n" if $verbose;
+ unless (unlink $path)
+ {
+ carp "Can't remove file $prefix$path ($!)";
+ return 0;
}
- (undef, undef, my $rp) = lstat $root or next;
- $rp &= 07777; # don't forget setuid, setgid, sticky bits
- if ( -d _ ) {
- # notabene: 0777 is for making readable in the first place,
- # it's also intended to change it to writable in case we have
- # to recurse in which case we are better than rm -rf for
- # subtrees with strange permissions
- chmod(0777, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
- or carp "Can't make directory $root read+writeable: $!"
- unless $safe;
-
- if (opendir my $d, $root) {
- no strict 'refs';
- if (!defined ${"\cTAINT"} or ${"\cTAINT"}) {
- # Blindly untaint dir names
- @files = map { /^(.*)$/s ; $1 } readdir $d;
- } else {
- @files = readdir $d;
- }
- closedir $d;
- }
- else {
- carp "Can't read $root: $!";
- @files = ();
- }
- # Deleting large numbers of files from VMS Files-11 filesystems
- # is faster if done in reverse ASCIIbetical order
- @files = reverse @files if $Is_VMS;
- ($root = VMS::Filespec::unixify($root)) =~ s#\.dir\z## if $Is_VMS;
- if ($Is_MacOS) {
- @files = map("$root$_", @files);
- } else {
- @files = map("$root/$_", grep $_!~/^\.{1,2}\z/s,@files);
- }
- $count += rmtree(\@files,$verbose,$safe);
- if ($safe &&
- ($Is_VMS ? !&VMS::Filespec::candelete($root) : !-w $root)) {
- print "skipped $root\n" if $verbose;
- next;
- }
- chmod 0777, $root
- or carp "Can't make directory $root writeable: $!"
- if $force_writeable;
- print "rmdir $root\n" if $verbose;
- if (rmdir $root) {
- ++$count;
- }
- else {
- carp "Can't remove directory $root: $!";
- chmod($rp, ($Is_VMS ? VMS::Filespec::fileify($root) : $root))
- or carp("and can't restore permissions to "
- . sprintf("0%o",$rp) . "\n");
- }
- }
- else {
- if ($safe &&
- ($Is_VMS ? !&VMS::Filespec::candelete($root)
- : !(-l $root || -w $root)))
- {
- print "skipped $root\n" if $verbose;
- next;
- }
- chmod 0666, $root
- or carp "Can't make file $root writeable: $!"
- if $force_writeable;
- print "unlink $root\n" if $verbose;
- # delete all versions under VMS
- for (;;) {
- unless (unlink $root) {
- carp "Can't unlink file $root: $!";
- if ($force_writeable) {
- chmod $rp, $root
- or carp("and can't restore permissions to "
- . sprintf("0%o",$rp) . "\n");
- }
- last;
- }
- ++$count;
- last unless $Is_VMS && lstat $root;
- }
+ return 1;
+ }
+
+ unless (chdir $path)
+ {
+ carp "Can't chdir to $prefix$path ($!)";
+ return 0;
+ }
+
+ # avoid a race condition where a directory may be replaced by a
+ # symlink between the lstat and the chdir
+ my ($new_dev, $new_ino, $perm) = stat '.';
+ unless ("$new_dev:$new_ino" eq "$dev:$ino")
+ {
+ croak "Directory $prefix$path changed before chdir, aborting";
+ }
+
+ $perm &= 07777;
+ my $nperm = $perm | 0700;
+ unless ($safe or $nperm == $perm or chmod $nperm, '.')
+ {
+ carp "Can't make directory $prefix$path read+writeable ($!)";
+ $nperm = $perm;
+ }
+
+ my $count = 0;
+ if (opendir my $dir, '.')
+ {
+ my $entry;
+ while (defined ($entry = readdir $dir))
+ {
+ next if $entry =~ /^\.\.?$/;
+ $entry =~ /^(.*)$/s; $entry = $1; # untaint
+ $count += _rmtree $entry, "$prefix$path/", '..', $dev, $ino,
+ $verbose, $safe;
}
+
+ closedir $dir;
+ }
+
+ # restore directory permissions if required (in case the rmdir
+ # below fails) now, while we're still in the directory and may do
+ # so without a race via '.'
+ unless ($nperm == $perm or chmod $perm, '.')
+ {
+ carp "Can't restore permissions on directory $prefix$path ($!)";
+ }
+
+ # don't leave the caller in an unexpected directory
+ unless (chdir $up)
+ {
+ croak "Can't return to $up from $prefix$path ($!)";
+ }
+
+ # ensure that a chdir .. didn't take us somewhere other than
+ # where we expected (see CVE-2002-0435)
+ unless (($new_dev, $new_ino) = stat '.'
+ and "$new_dev:$new_ino" eq "$up_dev:$up_ino")
+ {
+ croak "Previous directory $up changed since entering $prefix$path";
+ }
+
+ print "rmdir $prefix$path\n" if $verbose;
+ if (rmdir $path)
+ {
+ $count++;
+ }
+ else
+ {
+ carp "Can't remove directory $prefix$path ($!)";
+ }
+
+ return $count;
+}
+
+sub rmtree
+{
+ my ($p, $verbose, $safe) = @_;
+ $p = [] unless defined $p and length $p;
+ $p = [ $p ] unless ref $p;
+ my @paths = grep defined && length, @$p;
+
+ # default to "unsafe" for non-root (will chmod dirs)
+ $safe = $> ? 0 : 1 unless defined $safe;
+
+ unless (@paths)
+ {
+ carp "No root path(s) specified";
+ return;
+ }
+
+ my $oldpwd = getcwd or do {
+ carp "Can't fetch initial working directory";
+ return;
+ };
+
+ my ($dev, $ino) = stat '.' or do {
+ carp "Can't stat initial working directory";
+ return;
+ };
+
+ # untaint
+ for ($oldpwd) { /^(.*)$/s; $_ = $1 }
+
+ my $count = 0;
+ for my $path (@paths)
+ {
+ $count += _rmtree $path, '', $oldpwd, $dev, $ino, $verbose, $safe;
}
$count;
|
GitWeb