lynx-dev Re: Lynx and tmp files?

[Klaus Weide]

On 28 Dec 1998, Artur Grabowski wrote to me:

> Hi,
> 
> I was reading http://www.crl.com/%7Esubir/lynx/security.html and is has
> a patch for /tmp-related problems written by you. It says "Lynx 2.8 has a
> complete fix for this problem.", but neither the source for lynx 2.8.1 nor
> the current source seems to have a any code from your patch.

That's right.  As far as I know, what is now in 2.8.1 is not based on
that old patch for 2.7.1.  I received practically no feedback on that
patch.  Without that, I didn't feel confident enough to push the patch
into the then-existing mainstream lynx code base, especially since at 
the time there were other discussions about solutions. So I left that
problem for others, hopefully more qualified wrt. the platform and
security issues, to solve.

So 2.8.1 addresses the problem in a different, more general manner, and I
believe it doesn't have some of the limitations of my patch.  I have never
tried a detailed comparison between the two solutions.  But the 2.8.1 code
(and the current 2.8.2dev development code) has had much more testing and
review than my old patch, so you should go with that.  I have no reason to
believe there are holes in it.  But if you are suspicious, you may still
want to give each user their own LYNX_TEMP_SPACE.

Note I don't say anything about 2.8, I don't know anything about the state
of the problem in that version.

> My question is, were the problems really solved? And how?

Those are questions for lynx-dev, not for me to answer.  As for the How -
you got the code, and you have the CHANGES files, in case you don't get a
reply that satisfies you better.

> (I'm not taking this to the lynx-dev list because my last attempts to mail
> that list were unanswered.)

Ah, but you should use lynx-dev for this.  If you are not subscribed, you
can still use the archives at <URL: http://www.flora.org/lynx-dev/html/>
for reading replies.

   Klaus