[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] unsafe use of /tmp

From: Rob Savoye
Subject: Re: [Gnash-dev] unsafe use of /tmp
Date: Fri, 07 Apr 2006 08:00:47 -0600
User-agent: Thunderbird 1.5 (X11/20051201)

Patrice Dumas wrote:

It seems that gnash downloads the .swf files in /tmp. This is unsafe and opens the door for a symlink in /tmp attack. Moreover it allows other user to monitor a user activity. I believe the .swf should be downloaded in ~/.gnash or similar. Or if downloaded to /tmp it should be done safely
using mkstemp or similar things.

This is only temporary. I plan to make Gnash read the stream and render it instead. Unfortunately right now Gnash only uses disk based files. I wasn't using mkstemp() because I wanted the download movie name to match what I see in the browser.

Currently there isn't a ~/.gnash directory, but I'm considering adding one to hold a config file. I can switch to downloading to that directory as well.

        - rob -

reply via email to

[Prev in Thread] Current Thread [Next in Thread]