From mboxrd@z Thu Jan  1 00:00:00 1970
Path: quimby.gnus.org!not-for-mail
From: Colin Walters <walters@verbum.org>
Newsgroups: gmane.emacs.devel
Subject: Re: many packages write to `temporary-file-directory' insecurely
Date: 03 Mar 2002 23:50:26 -0500
Message-ID: <1015217426.869.30.camel@space-ghost>
References: <1014945351.23435.102.camel@space-ghost> 
	<200203040408.g2448Bd00535@aztec.santafe.edu>
NNTP-Posting-Host: quimby2.netfonds.no
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Trace: quimby2.netfonds.no 1015219121 10332 195.204.10.66 (4 Mar 2002 05:18:41 GMT)
X-Complaints-To: usenet@quimby2.netfonds.no
NNTP-Posting-Date: 4 Mar 2002 05:18:41 GMT
Original-Received: from fencepost.gnu.org ([199.232.76.164])
	by quimby2.netfonds.no with esmtp (Exim 3.12 #1 (Debian))
	id 16hkrx-0002gY-00
	for <emacs-devel@quimby.gnus.org>; Mon, 04 Mar 2002 06:18:41 +0100
Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org)
	by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian))
	id 16hklc-000543-00; Mon, 04 Mar 2002 00:12:08 -0500
Original-Received: from monk.debian.net ([216.185.54.61] helo=monk.verbum.org)
	by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian))
	id 16hkkg-0004zs-00
	for <emacs-devel@gnu.org>; Mon, 04 Mar 2002 00:11:10 -0500
Original-Received: from space-ghost.verbum.private (dhcp024-208-188-193.columbus.rr.com [24.208.188.193])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "space-ghost.verbum.org", Issuer "monk.verbum.org" (verified OK))
	by monk.verbum.org (Postfix (Debian/GNU)) with ESMTP id 75F1A7400083
	for <emacs-devel@gnu.org>; Mon,  4 Mar 2002 00:10:26 -0500 (EST)
Original-Received: by space-ghost.verbum.private (Postfix (Debian/GNU), from userid 1000)
	id B9456851064; Sun,  3 Mar 2002 23:50:27 -0500 (EST)
Original-To: emacs-devel@gnu.org
In-Reply-To: <200203040408.g2448Bd00535@aztec.santafe.edu>
X-Mailer: Evolution/1.0 (Preview Release)
Errors-To: emacs-devel-admin@gnu.org
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.0.5
Precedence: bulk
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Post: <mailto:emacs-devel@gnu.org>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
List-Id: Emacs development discussions. <emacs-devel.gnu.org>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://mail.gnu.org/pipermail/emacs-devel/>
Xref: quimby.gnus.org gmane.emacs.devel:1716
X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:1716

On Sun, 2002-03-03 at 23:08, Richard Stallman wrote:
> I fixed most of the uses of make-temp-name to use make-temp-file
> instead.  I did not fix Gnus, and I asked maintainers of certain files
> to fix those files.

Well, you have to look carefully, because not all uses of
`make-temp-name' are insecure.  If you create a new temporary
subdirectory that is not world-writable, and then create files inside of
there, you're fine (as, for example, gnus-uu.el appears to do). 
However, it is still probably better to use `make-temp-file' regardless,
but Gnus probably has to consider portability between Emacsen.







_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://mail.gnu.org/mailman/listinfo/emacs-devel