From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#17416: [O] bug#17416: insecure temp files in ob-screen.el Date: Thu, 08 May 2014 03:04:01 -0400 Message-ID: References: <61ljbl1v.fsf@fencepost.gnu.org> <87vbthm5pe.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1399532721 18254 80.91.229.3 (8 May 2014 07:05:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 8 May 2014 07:05:21 +0000 (UTC) Cc: 17416@debbugs.gnu.org To: Eric Schulte Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu May 08 09:05:15 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WiIOG-0002qi-2d for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 May 2014 09:05:12 +0200 Original-Received: from localhost ([::1]:45002 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiIOF-0003vy-Gl for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 May 2014 03:05:11 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56846) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiIOA-0003rW-I8 for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 03:05:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WiIO9-0004qo-LP for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 03:05:06 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:37722) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiIO7-0004hI-L5; Thu, 08 May 2014 03:05:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WiIO6-0000SF-Ql; Thu, 08 May 2014 03:05:03 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <61ljbl1v.fsf@fencepost.gnu.org> Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 08 May 2014 07:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security Original-Received: via spool by 17416-submit@debbugs.gnu.org id=B17416.13995326471647 (code B ref 17416); Thu, 08 May 2014 07:05:02 +0000 Original-Received: (at 17416) by debbugs.gnu.org; 8 May 2014 07:04:07 +0000 Original-Received: from localhost ([127.0.0.1]:55070 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiINC-0000QV-Kb for submit@debbugs.gnu.org; Thu, 08 May 2014 03:04:07 -0400 Original-Received: from fencepost.gnu.org ([208.118.235.10]:43903 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiIN9-0000QK-CX for 17416@debbugs.gnu.org; Thu, 08 May 2014 03:04:04 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WiIN7-0005Ab-Jc; Thu, 08 May 2014 03:04:01 -0400 X-Spook: nuclear pipeline enemy of the state BATF Axis of Evil X-Ran: ?VkqqY7:N"DTg*O>.>.'F\r*'p._A0P_BX/P?3%RGViJ!{)/YzE>XtmhkjVao':Dz\j%L" X-Hue: magenta X-Attribution: GM User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:88768 Archived-At: Eric Schulte wrote: >> org-babel-screen-session-write-temp-file and org-babel-screen-test seem >> to use predictable temp-file names, which is a security issue. Using >> `make-temp-file', or if the file names really need to be predictable, >> something equivalent to `doc-view-make-safe-dir' (there should really be >> a general utility function for this IMO) to first create a /tmp >> subdirectory would avoid this. > > I just pushed up a fix for this issue. Thanks, If you mean http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=fea672d30ef4701721c0d4aa70462760a6b21be7 then's there still org-babel-screen-test. (These are definitely fixes that need merging into the emacs-24 branch. IIUC this means they need to be in your maint branch?)