On 18/03/15 21:32, Markus Wanner wrote:
On 03/18/2015 09:09 PM, Adam D. Barratt wrote:
++ write_allowed_paths.push_back("/tmp/*.xml");
Is that really intended? (Both the hardcoding of /tmp/ rather than using
something respecting TMPDIR and being allowed to write any ".xml"
there.)
It certainly matches Nasal/IOrules in flightgear-data,
Yes, the allowed-paths list is intentionally identical to the
(post-#780716-fix) Nasal/IOrules: the purpose of this patch is to move
the checking process to somewhere scripts can't disable.
I'm not quite sure what Nasal scripts need to write
temporary XML files.
I'm not aware of any that do, but haven't specifically looked.
Is untrusted scripts being able to write (not read) /tmp/*.xml a
security or other RC bug (which would require a new upload of flightgear
_and_ flightgear-data with the obvious fixes), or just not a good idea?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
