Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] Re: Insecure tempfile creation

X-seq: zsh-workers 34071
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] Re: Insecure tempfile creation
Date: Mon, 29 Dec 2014 00:49:57 +0000
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type:in-reply-to; s= mesmtp; bh=ROMi4GIDtaBo6AVR9z+vn7jGtXg=; b=wITcwtN/WVvLQnZq8Uil6 W0e5OT3HCq+mcdl+tDiRkvkYHnEcFVrHJCuNM4qhjtxXuLp5eKBJRMr8+7xqsMjz UvrwkInhuGnwVjxRRyV6oRWANSSfU6Hmmof+p8Ms7zHByQuApBI2ViMlBDcboCdk kORlLgmVvx96Y5DPXsx8Bo=
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type:in-reply-to; s= smtpout; bh=ROMi4GIDtaBo6AVR9z+vn7jGtXg=; b=SnPV1FXEfcEdnkl9q2f2 CZt3K00kOUhEHHqZpWBlkFmqj0kMj90WaNXlN97DqX07SyfLET95Jpc2oyzUl0aQ fWkfIiy0/vljhO5Js3L4LWKYIP5NnBGCg1qVN74x8brx+dB22K/VJc5zw+PXCaGU J95JyxsiI4rM3XUc7U00VtE=
In-reply-to: <141228004101.ZM28486@torch.brasslantern.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20141222203624.GA24855@tarsus.local2> <141227223029.ZM15959@torch.brasslantern.com> <141227234421.ZM16038@torch.brasslantern.com> <141228004101.ZM28486@torch.brasslantern.com>

Bart Schaefer wrote on Sun, Dec 28, 2014 at 00:41:01 -0800:
> On Dec 27, 11:44pm, Bart Schaefer wrote:
> }
> } I suppose =(<<<'') would actually be better, since it won't fork.  Hm.
> } 
> } This patch does not yet tackle uses of "/tmp" that do not use $TMPPREFIX
> 
> Fortunately I didn't find any of the latter except for the previously
> identified one in _cvs (_cvs_run).  So the patch below changes the use
> of =(:) to =(<<<'') and repairs _cvs_run to create the temp directory 
> in a safe (I hope) manner.  Apply on top of 34067.
> 

First of all, thanks for picking this up.  I'd meant to get back to this
thread early January, but I'm happy to have been beaten to it :-)

Your patches look good to me, including the rmdir, but except for:

> -	} =(: temporary file)
> +	} =(<<<'temporary file')

I assume =(<<<'') was the intention.

Thanks again,

Daniel

Follow-Ups:
- Re: [PATCH] Re: Insecure tempfile creation
  - From: Bart Schaefer

References:
- Insecure tempfile creation
  - From: Daniel Shahaf
- Re: Insecure tempfile creation
  - From: Bart Schaefer
- [PATCH] Re: Insecure tempfile creation
  - From: Bart Schaefer
- Re: [PATCH] Re: Insecure tempfile creation
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author