> Yes, this is why it's difficult to fix :-). Unfortunately, if you > use mkstemp() but still allow the rest of the code to reopen > the temporary file by name, you've shut the linker up but > not completely closed the security hole. See > http://www.mail-archive.com/[email protected]/msg01380.html > > So I would vote against (the tempfile related parts of) this patch.
Having an MH-private namespace for scratch files is certainly the way to go here. These aren't 'temp files' in the traditional sense, and none of the usual APIs suit the task at hand. There are license-compatible mkstemp() implementations out there that can serve as a base for a code import, upon which a suitable replacement can be built. --lyndon _______________________________________________ Nmh-workers mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/nmh-workers
