Re: [Gnash-dev] unsafe use of /tmp

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] unsafe use of /tmp

From:	Rob Savoye
Subject:	Re: [Gnash-dev] unsafe use of /tmp
Date:	Fri, 07 Apr 2006 08:00:47 -0600
User-agent:	Thunderbird 1.5 (X11/20051201)

Patrice Dumas wrote:

It seems that gnash downloads the .swf files in /tmp. This is unsafe andopens the door for a symlink in /tmp attack. Moreover it allows other userto monitor a user activity. I believe the .swf should be downloaded in~/.gnash or similar. Or if downloaded to /tmp it should be done safely
using mkstemp or similar things.

This is only temporary. I plan to make Gnash read the stream andrender it instead. Unfortunately right now Gnash only uses disk basedfiles. I wasn't using mkstemp() because I wanted the download movie nameto match what I see in the browser.

Currently there isn't a ~/.gnash directory, but I'm consideringadding one to hold a config file. I can switch to downloading to thatdirectory as well.


        - rob -

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-dev] unsafe use of /tmp, Patrice Dumas, 2006/04/07
- Re: [Gnash-dev] unsafe use of /tmp, Rob Savoye <=

Prev by Date: [Gnash-dev] unsafe use of /tmp
Next by Date: [Gnash-dev] packaging question
Previous by thread: [Gnash-dev] unsafe use of /tmp
Next by thread: [Gnash-dev] packaging question
Index(es):
- Date
- Thread