Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-15 Thread Francois Tigeot
On Wed, Jul 13, 2011 at 09:16:33AM -0600, Tor Lillqvist wrote: Do we really want to have those access() checks there? I am not evil enough to think of a way to abuse that code (insert maniacal laughter), but in general, isn't that exactly the kind of coding that could be a security

Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-15 Thread Tor Lillqvist
Would that be more acceptable ? Well, I am not saying they are unacceptable. I just wanted a bit of discussion with perhaps somebody actually clueful about security issues giving their opinion;) Quite possibly the checks make good sense, and are not a risk as nobody is going to run

Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-15 Thread Caolán McNamara
On Wed, 2011-07-13 at 18:48 +0200, Francois Tigeot wrote: On Wed, Jul 13, 2011 at 09:16:33AM -0600, Tor Lillqvist wrote: Do we really want to have those access() checks there? I am not evil enough to think of a way to abuse that code (insert maniacal laughter), but in general, isn't that

[Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-13 Thread Francois Tigeot
Patch attached, and discussed with Caolán. I've detected a bit of duplicate code in different files, I'll try to make them use this function in the future. -- Francois Tigeot From 0f396782dee612dabea9ee9830f564d7815e464f Mon Sep 17 00:00:00 2001 From: Francois Tigeot ftig...@wolfpond.org Date:

Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-13 Thread Tor Lillqvist
Do we really want to have those access() checks there? I am not evil enough to think of a way to abuse that code (insert maniacal laughter), but in general, isn't that exactly the kind of coding that could be a security vulnerability? (TOCTTOU seems to be the technical term,

Re: [Libreoffice] [PATCH] Simplify a function returning the temporary directory name

2011-07-13 Thread Francois Tigeot
On Wed, Jul 13, 2011 at 09:16:33AM -0600, Tor Lillqvist wrote: Do we really want to have those access() checks there? I am not evil enough to think of a way to abuse that code (insert maniacal laughter), but in general, isn't that exactly the kind of coding that could be a security