From 4dabf1a9c679f06b3637d3c76e1e05aa83a6d259 Mon Sep 17 00:00:00 2001
From: Gervase Markham <gerv@mozilla.org>
Date: Wed, 21 Jan 2015 19:49:57 +0000
Subject: Bug 1079065: [SECURITY] Always use the 3 arguments form for open() to
 prevent shell code injection r=dylan,a=simon

---
 Bugzilla/Install/CPAN.pm       | 4 ++--
 Bugzilla/Install/Filesystem.pm | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'Bugzilla/Install')

diff --git a/Bugzilla/Install/CPAN.pm b/Bugzilla/Install/CPAN.pm
index 19f143190..094784e1a 100644
--- a/Bugzilla/Install/CPAN.pm
+++ b/Bugzilla/Install/CPAN.pm
@@ -196,8 +196,8 @@ sub set_cpan_config {
     # Calling a senseless autoload that does nothing makes us
     # automatically load any existing configuration.
     # We want to avoid the "invalid command" message.
-    open(my $saveout, ">&STDOUT");
-    open(STDOUT, '>/dev/null');
+    open(my $saveout, ">&", "STDOUT");
+    open(STDOUT, '>', '/dev/null');
     eval { CPAN->ignore_this_error_message_from_bugzilla; };
     undef $@;
     close(STDOUT);
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 2120cbc57..64b651c62 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -634,7 +634,7 @@ sub _update_old_charts {
                  ($in_file =~ /\.orig$/i));
 
         rename("$in_file", "$in_file.orig") or next;
-        open(IN, "$in_file.orig") or next;
+        open(IN, "<", "$in_file.orig") or next;
         open(OUT, '>', $in_file) or next;
 
         # Fields in the header
-- 
cgit v1.2.3-24-g4f1b