On Mon, Sep 24, 2007 at 03:59:00PM +0200, Jens Seidel wrote: > I don't want to reopen this bug but why is it OK to omit /tmp? The code > is still vulnerable. Just assume po4a is started in /tmp or in another > directory where an attcker has write access and the problem remains ...
Yes, but only in that ocasion and not everytime. Users should not run stuff with their current directory pointing to /tmp. > I agree that it is unlikely but I often work in /tmp to handle > translations ... Then you might want to produce a patch that uses File::Temp's tempfile, since that honors TMPDIR setting and does the right thing. I just didn't find it would be necessary for this package but should be trivial to implement. Regards Javier
signature.asc
Description: Digital signature
