(-cc: bug#640389; +cc: bug#635849) Michael Gilbert wrote: > Jonathan Nieder wrote:
>> [1] The crux in bug #635849 is that if the user is allowed to >> influence TMPDIR or the template argument then the filename returned >> by tempfile and mktemp cannot be trusted not to contain shell >> metacharacters; but properly quoting all variables is already good >> policy in shell scripts anyway. [...] > OK, but I'm still not convinced that there's a case where an attacker > has control over TMPFILE and yet wouldn't be able to do other bad > things anyway. So what scenario are we actually trying to prevent here, > or is this just an academic concern? The underescaping is the original (and only) bug. In my original message, I mentioned a malicious or incompetent user having control of the TMPDIR envvar; I actually think incompetent is more likely than malicious and that neither is too likely. I'm not suggesting an extra security advisory or anything. My actual concern was and is that people reading and writing scripts use good habits (rather than using fragile workarounds that leave the script's behavior hard to understand). I don't think that's academic. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
