|
From: | Rob Savoye |
Subject: | Re: [Gnash-dev] unsafe use of /tmp |
Date: | Fri, 07 Apr 2006 08:00:47 -0600 |
User-agent: | Thunderbird 1.5 (X11/20051201) |
Patrice Dumas wrote:
It seems that gnash downloads the .swf files in /tmp. This is unsafe and opens the door for a symlink in /tmp attack. Moreover it allows other user to monitor a user activity. I believe the .swf should be downloaded in ~/.gnash or similar. Or if downloaded to /tmp it should be done safelyusing mkstemp or similar things.
This is only temporary. I plan to make Gnash read the stream and render it instead. Unfortunately right now Gnash only uses disk based files. I wasn't using mkstemp() because I wanted the download movie name to match what I see in the browser.
Currently there isn't a ~/.gnash directory, but I'm considering adding one to hold a config file. I can switch to downloading to that directory as well.
- rob -
[Prev in Thread] | Current Thread | [Next in Thread] |