Hi, Peter Palfrader: > onionshare uses /tmp/onionshare_server.log as a logfile with --debug.
Good catch! While that code obviously conflicts with basic secure programming best practices, it seems to me that the default settings of the fs.protected_symlinks and fs.protected_hardlinks sysctls protect Debian users against exploitation, so I find RC severity hard to justify given this only affects users who manually pass --debug under a non-default sysctl/kernel configuration. In any case, this should be fixed :) Cheers, -- intrigeri