On 07/08/2013 08:36 AM, Jérémy Lal wrote: > I still do not understand if this is really a security issue. > IMO if a program on your system does that, the whole system is compromised, > you can't really be hardening any software against it.
what we're talking about is a classic symlink attack. I haven't tried
to verify it with npm myself, but using predictable tmpfile names in
world-writable directories is the usual gateway to a vulnerability here.
> If you disagree, do you mind if we move this discussion to upstream
> [nodejs] discussion group ? We'll probably find some enlightment there.
I'm not on the upstream nodejs discussion group, but if you want to cc
me on discussion there, i'd be happy to chime in.
--dkg
signature.asc
Description: OpenPGP digital signature
