While cleaning up the tmp files, I noticed a potential security
issue. mhshow, mhn, etc., used to create temporary files using
mkstemp(3) and then rename(3) them in order to add a filename
extension that reflects the content type. E.g.,
/tmp/mhshowXYZ123.html. rename allows the new filename to refer
to the old file, even if very briefly. So I removed that
rename.
But it was there for a reason: some external display programs
rely on the filename extension. Users can get around it with
lynx -force_html, w3m -T text/html, etc. But is that asking too
much? If so, what's a better way to handle it? Maybe do the
rename only if the tmp directory is the user's MH Path? Or,
always rename those tmp files, but always put them in the MH
Path? Or?
The tmp directory is the first non-null location of
{MHTMPDIR, TMP, MH Path directory}.
David
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers