On 2005.08.10 00:21:17 +0200, Stefan Bethke wrote: > Am 10.08.2005 um 00:08 schrieb Simon L. Nielsen: > > >On 2005.08.09 23:30:26 +0200, Stefan Bethke wrote: > > > >> sed -e 's/#.*$//' <${mdconfig_conf} |grep -v '^[[:space:]]*$' > >>>/tmp/mdconfig.$$ > > > >Try searching the web for "temporary file symlink attack"... (hint: > >creating temorary files like that is bad, use mktemp). > > Again, thanks for the hint. This was meant as a starting point; it > was hacked together as a stop-gap measure in twenty minutes. (And has > persisted over six months now...) I agree that it's unlikely to be actually exploited, but there might be situations where it can be, which is why I wanted to point out the problem. Hacks have a tendency to stay around exactly like the six month part of your paragraph, which is rather common, :-). > I would be more than happy for someone else taking this script, > polishing it, and getting it committed, so I don't have to rememeber > not nuking it on the next mergemaster :-) I will let the rc.d guru's ponder a bit out how this is done best :-). -- Simon L. Nielsen
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:41 UTC