[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] tmp file cleanup

From: Lyndon Nerenberg
Subject: Re: [Nmh-workers] tmp file cleanup
Date: Sun, 19 Jan 2014 14:52:15 -0800

> It looks like this might have been added just 4 years ago.
> Otherwise, I'd be reluctant to remove it.  Earl?

The only place I've seen $TMP referenced is on Windows.  We really shouldn't 
proliferate this to UNIX when the convention since the dawn of time has been 

> This is a security breach waiting to happen.  For tempfiles you should
>> always be specifying an absolute path.  This isn't just an MH issue.
> Alright, how about if we adios() if MHTMPDIR contains any ".." ?

I'm still uneasy about relative paths, but I don't have the time right now to 
test an explicit exploit scenario.  The '..' test should be there regardless, 
though.  And I wonder if there aren't other places we should disallow it.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

reply via email to

[Prev in Thread] Current Thread [Next in Thread]