Hi - > > That's not that serious a category of concern. Environment variables > > are not under control of untrusted agents. FWIW, $DEBUGINFOD_CACHE is > > considerably more dangerous in that regard (cache cleaning!). > > You have a way to make me even more scared of security issues than less > :) > > It would actually be pretty bad if a user made the mistake to set > DEBUGINFOD_CACHE to e.g. their home directory by mistake.
Yeah, those bothering to override the default path have to be careful. > Could we have some extra safeguard there? e.g. If the directory already > exist check whether it is completely empty or if it isn't empty it > contains a cache_clean_interval file? Or at least only delete files > that follow our creation pattern: > <build-id-hexstring>/[debuginfo|executable|source]? This sounds prudent. Will work on that. - FChE