[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nmh-workers] extensions on tmp filenames?

From: David Levine
Subject: [Nmh-workers] extensions on tmp filenames?
Date: Sat, 01 Feb 2014 17:30:45 -0500

While cleaning up the tmp files, I noticed a potential security
issue.  mhshow, mhn, etc., used to create temporary files using
mkstemp(3) and then rename(3) them in order to add a filename
extension that reflects the content type.  E.g.,
/tmp/mhshowXYZ123.html.  rename allows the new filename to refer
to the old file, even if very briefly.  So I removed that

But it was there for a reason:  some external display programs
rely on the filename extension.  Users can get around it with
lynx -force_html, w3m -T text/html, etc.  But is that asking too
much?  If so, what's a better way to handle it?  Maybe do the
rename only if the tmp directory is the user's MH Path?  Or,
always rename those tmp files, but always put them in the MH
Path?  Or?

The tmp directory is the first non-null location of
{MHTMPDIR, TMP, MH Path directory}.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]