Thijs Kinkhorst wrote: > Hi, > >> Done as the mass-opening of symlink attack in /tmp was wrong in this case. > > I don't think closing this is the appropriate action. Sure, debug code is not > top priority. But still, the fix is straghtforward and puts extra protection > on those running in debug mode. Besides, people tend to copy-paste stuff all > the time so eliminating it may prevent introducing a more pertinent bug. > > I therefore encourage you strongly to just address the issue for lenny, even > if it's only debug code. > > > Thijs
Hi, First of all, I didn't realise that this script was in DEBUG mode by default. So apologies for it, next time, I'll read more carefully the reports, and take a bigger care when importing code from others (in fact, my colleague Damien did import the file, so I'll let him know he should take more care). Second, do you guys think that setting the variable to DEBUG=0 by default, then writing a BIG BIG BIG warning next to it in the code is enough? Like: "WARNING: high security risk here if you set to DEBUG=1, high risk of symlink attack" then explaining how it works to hack? That's what I would do, as I don't want to rewrite the entire file that by the way works pretty well. Please let me know so I can fix asap. Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
