www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.bugs - [Issue 6172] New: rdmd: insecure temporary file creation

reply d-bugmail puremagic.com writes:
http://d.puremagic.com/issues/show_bug.cgi?id=6172

           Summary: rdmd: insecure temporary file creation
           Product: D
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: DMD
        AssignedTo: nobody puremagic.com
        ReportedBy: edelkind+puremagic gmail.com



10:17:34 PDT ---
rdmd will create temporary files in /tmp/.rdmd .  A malicious user could
pre-create such a directory and link target files elsewhere.

A more appropriate location for temporary files would be under the user's home
directory (e.g. $HOME/.rdmd).  If the user's home directory is unwritable, then
/tmp/.rdmd.[random] may be used.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Jun 17 2011
next sibling parent d-bugmail puremagic.com writes:
http://d.puremagic.com/issues/show_bug.cgi?id=6172


gslopsema+dbugzilla gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gslopsema+dbugzilla gmail.c
                   |                            |om



Not assigned to me, however a patch which appends a string of random numbers to
/tmp/.rdmd can be found at

https://github.com/garslo/tools/commit/c19361441bf6546dfde2c450187c46856dd41965

with pull request

https://github.com/D-Programming-Language/tools/pull/4

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Jul 22 2011
prev sibling next sibling parent d-bugmail puremagic.com writes:
http://d.puremagic.com/issues/show_bug.cgi?id=6172


Walter Bright <bugzilla digitalmars.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |bugzilla digitalmars.com
         Resolution|                            |WORKSFORME



01:44:45 PDT ---
This was pulled and incorporated some time ago.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 28 2012
prev sibling next sibling parent d-bugmail puremagic.com writes:
http://d.puremagic.com/issues/show_bug.cgi?id=6172




05:37:04 PDT ---
Given that I reported this issue nearly a year ago, this isn't the sort of
response time that I was hoping for with either a security report or a
"critical" bug report.

For future reference, is there another avenue that I should use to report such
issues for a more timely acknowledgement, or is this the sort of response time
I should expect?

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 28 2012
prev sibling parent d-bugmail puremagic.com writes:
http://d.puremagic.com/issues/show_bug.cgi?id=6172




08:26:45 PDT ---
If an issue stops from getting work done, it's always a good idea to
substantiate the reason in the bug report. Also, starting a discussion on the
topic at http://forum.dlang.org is helpful.

On the face of it this doesn't look like a showstopper. If the matter is
absolutely essential, there are many possible workarounds, starting with
changing rdmd.d and ending with simply using dmd instead of rdmd for critical
work.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Apr 28 2012