David Levine wrote: > While cleaning up the tmp files, I noticed a potential security > issue. mhshow, mhn, etc., used to create temporary files using > mkstemp(3) and then rename(3) them in order to add a filename > extension that reflects the content type. E.g., > /tmp/mhshowXYZ123.html. rename allows the new filename to refer > to the old file, even if very briefly. So I removed that > rename. > > But it was there for a reason: some external display programs > rely on the filename extension. Users can get around it with
You could use mkstemps to create the temporary file directly with a suffix. The only problem is that it'd need a configure test for mkstemps because at least Solaris 10 (but not 11) lacks it. Where mkstemps is lacking, I'd just do the rename. Oliver _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
