[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
many packages write to `temporary-file-directory' insecurely
From: |
Colin Walters |
Subject: |
many packages write to `temporary-file-directory' insecurely |
Date: |
28 Feb 2002 20:15:51 -0500 |
Hi,
I discovered a security problem with M-x snake, and a number of other
packages. For example, snake writes "snake-scores" to
`temporary-file-directory' (which defaults to /tmp on my system). If an
attacker creates a symlink /tmp/snake-scores -> /home/luser/.bashrc, and
"luser" later runs M-x snake, then their .bashrc will be happily
overwritten with their snake scores. Try it.
After a quick grep through the Emacs source, terminal.el looks like it
does something similar in the function `te-create-terminfo'. And eshell
appears to use `make-temp-name' insecurely in the function
`eshell-parse-variable-ref'., although it is difficult to follow the
code. And there are a number of others that I haven't investigated too
closely. Calc was creating a temporary gnuplot file insecurely; I've
just fixed it. These all *must* be fixed.
I gather that there have been reports about this problem in the past,
and this was the reason `make-temp-file' was introduced to replace
`make-temp-name'. If you maintain a package that creates temporary
files, please make sure you are using `make-temp-file'!
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- many packages write to `temporary-file-directory' insecurely,
Colin Walters <=