Description: Securely open temporary files using File::Temp (mkstemps)
Author: Gunnar Wolf <gwolf@debian.org>
Bug: https://bugs.debian.org/740891
Forwarded: No
Last-update: 2018-09-05

Index: listadmin-2.42/listadmin.pl
===================================================================
--- listadmin-2.42.orig/listadmin.pl
+++ listadmin-2.42/listadmin.pl
@@ -29,6 +29,7 @@ use strict;
 use English;
 use IO::Socket::SSL;
 use Net::INET6Glue::INET_is_INET6;
+use File::Temp qw(:mktemp);
 
 my $rc = $ENV{"HOME"}."/.listadmin.ini";
 
@@ -730,12 +731,12 @@ sub get_list {
 
     if ($page !~ get_trans_re("pending_req")) {
 	my $msg = "unexpected contents";
-	# Use rand() to protect a little against tmpfile races
-	$dumpfile ||= "/tmp/dump-" . rand() . "-$list.html";
-	if (open(DUMP, ">$dumpfile")) {
+	if (! defined($dumpfile) or $dumpfile eq '') {
+	    my $dumpfh;
+	    ($dumpfh, $dumpfile) = mkstemps('/tmp/dump-XXXXXXXX', "-$list.html");
 	    chmod(0600, $dumpfile);
-	    print DUMP $page;
-	    close(DUMP);
+	    print $dumpfh $page;
+	    close($dumpfh);
 	    $msg .= ", please send $dumpfile to $maintainer";
 	}
 	return {servererror => $msg, url => $url};
