> > It looks like this might have been added just 4 years ago. > > Otherwise, I'd be reluctant to remove it. Earl? > > The only place I've seen $TMP referenced is on Windows. We really > shouldn't proliferate this to UNIX when the convention since the > dawn of time has been $TMPDIR.
I agree, but it's in there now so'd we'd have to deprecate it. > > This is a security breach waiting to happen. For tempfiles you > > should always be specifying an absolute path. This isn't just an > > MH issue. > > > > Alright, how about if we adios() if MHTMPDIR contains any ".." ? > > I'm still uneasy about relative paths, but I don't have the time > right now to test an explicit exploit scenario. The '..' test > should be there regardless, though. And I wonder if there aren't > other places we should disallow it. I expect that there are: anything that's relative to the MH Path is susceptible. But again, there may be users out there who depend on it, and moreso than $TMP. David _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
