[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] tmp file cleanup
|
From: |
Lyndon Nerenberg |
|
Subject: |
Re: [Nmh-workers] tmp file cleanup |
|
Date: |
Sun, 19 Jan 2014 14:52:15 -0800 |
> It looks like this might have been added just 4 years ago.
> Otherwise, I'd be reluctant to remove it. Earl?
The only place I've seen $TMP referenced is on Windows. We really shouldn't
proliferate this to UNIX when the convention since the dawn of time has been
$TMPDIR.
> This is a security breach waiting to happen. For tempfiles you should
>> always be specifying an absolute path. This isn't just an MH issue.
>
> Alright, how about if we adios() if MHTMPDIR contains any ".." ?
I'm still uneasy about relative paths, but I don't have the time right now to
test an explicit exploit scenario. The '..' test should be there regardless,
though. And I wonder if there aren't other places we should disallow it.
--lyndon
signature.asc
Description: Message signed with OpenPGP using GPGMail
- [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup,
Lyndon Nerenberg <=
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/20
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/26