[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] extensions on tmp filenames?
|
From: |
Oliver Kiddle |
|
Subject: |
Re: [Nmh-workers] extensions on tmp filenames? |
|
Date: |
Sun, 02 Feb 2014 01:33:31 +0100 |
David Levine wrote:
> While cleaning up the tmp files, I noticed a potential security
> issue. mhshow, mhn, etc., used to create temporary files using
> mkstemp(3) and then rename(3) them in order to add a filename
> extension that reflects the content type. E.g.,
> /tmp/mhshowXYZ123.html. rename allows the new filename to refer
> to the old file, even if very briefly. So I removed that
> rename.
>
> But it was there for a reason: some external display programs
> rely on the filename extension. Users can get around it with
You could use mkstemps to create the temporary file directly with a
suffix. The only problem is that it'd need a configure test for
mkstemps because at least Solaris 10 (but not 11) lacks it. Where
mkstemps is lacking, I'd just do the rename.
Oliver