> It looks like this might have been added just 4 years ago. > Otherwise, I'd be reluctant to remove it. Earl?
The only place I've seen $TMP referenced is on Windows. We really shouldn't proliferate this to UNIX when the convention since the dawn of time has been $TMPDIR. > This is a security breach waiting to happen. For tempfiles you should >> always be specifying an absolute path. This isn't just an MH issue. > > Alright, how about if we adios() if MHTMPDIR contains any ".." ? I'm still uneasy about relative paths, but I don't have the time right now to test an explicit exploit scenario. The '..' test should be there regardless, though. And I wonder if there aren't other places we should disallow it. --lyndon
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
