[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] tmp file cleanup

From: David Levine
Subject: Re: [Nmh-workers] tmp file cleanup
Date: Sun, 19 Jan 2014 18:27:41 -0500

> > It looks like this might have been added just 4 years ago.
> > Otherwise, I'd be reluctant to remove it.  Earl?
> The only place I've seen $TMP referenced is on Windows.  We really
> shouldn't proliferate this to UNIX when the convention since the
> dawn of time has been $TMPDIR.

I agree, but it's in there now so'd we'd have to deprecate it.

> > This is a security breach waiting to happen.  For tempfiles you
> > should always be specifying an absolute path.  This isn't just an
> > MH issue.
> > 
> > Alright, how about if we adios() if MHTMPDIR contains any ".." ?
> I'm still uneasy about relative paths, but I don't have the time
> right now to test an explicit exploit scenario.  The '..' test
> should be there regardless, though.  And I wonder if there aren't
> other places we should disallow it.

I expect that there are:  anything that's relative to the MH Path
is susceptible.  But again, there may be users out there who depend
on it, and moreso than $TMP.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]