Why does a simple shell script create a vulnerability here? A shell script should already be using code like this:
set -e
tmp="`mktemp`"
echo "blah blah" > "$tmp"
echo "more blah blah" >> "$tmp"
mv -f "$tmp" "$1"
for two reasons: using mktemp avoids a symlink race condition, and
the rename-temporary-file-after-successfully-writing-it idiom avoids
writing an incomplete set of configuration directives for openvpn.
The last of those (to avoid incomplete configuration directives) I would
argue is a good reason to use a temporary file rather than doing something
like popen() and reading from a child process's stdout.
signature.asc
Description: Digital signature
