[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] tmp file cleanup
From: |
David Levine |
Subject: |
Re: [Nmh-workers] tmp file cleanup |
Date: |
Sun, 19 Jan 2014 18:27:41 -0500 |
> > It looks like this might have been added just 4 years ago.
> > Otherwise, I'd be reluctant to remove it. Earl?
>
> The only place I've seen $TMP referenced is on Windows. We really
> shouldn't proliferate this to UNIX when the convention since the
> dawn of time has been $TMPDIR.
I agree, but it's in there now so'd we'd have to deprecate it.
> > This is a security breach waiting to happen. For tempfiles you
> > should always be specifying an absolute path. This isn't just an
> > MH issue.
> >
> > Alright, how about if we adios() if MHTMPDIR contains any ".." ?
>
> I'm still uneasy about relative paths, but I don't have the time
> right now to test an explicit exploit scenario. The '..' test
> should be there regardless, though. And I wonder if there aren't
> other places we should disallow it.
I expect that there are: anything that's relative to the MH Path
is susceptible. But again, there may be users out there who depend
on it, and moreso than $TMP.
David
- [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup,
David Levine <=
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/19
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/20
- Re: [Nmh-workers] tmp file cleanup, David Levine, 2014/01/26