David Levine wrote:
While cleaning up the tmp files, I noticed a potential security
issue. mhshow, mhn, etc., used to create temporary files using
mkstemp(3) and then rename(3) them in order to add a filename
extension that reflects the content type. E.g.,
/tmp/mhshowXYZ123.html. rename allows the new filename to refer
to the old file, even if very briefly. So I removed that
rename.
But it was there for a reason: some external display programs
rely on the filename extension. Users can get around it with
You could use mkstemps to create the temporary file directly with a
suffix. The only problem is that it'd need a configure test for
mkstemps because at least Solaris 10 (but not 11) lacks it. Where
mkstemps is lacking, I'd just do the rename.
Oliver
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers