From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23878 invoked by alias); 29 Dec 2014 00:57:28 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34071 Received: (qmail 16702 invoked from network); 29 Dec 2014 00:57:27 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type:in-reply-to; s= mesmtp; bh=ROMi4GIDtaBo6AVR9z+vn7jGtXg=; b=wITcwtN/WVvLQnZq8Uil6 W0e5OT3HCq+mcdl+tDiRkvkYHnEcFVrHJCuNM4qhjtxXuLp5eKBJRMr8+7xqsMjz UvrwkInhuGnwVjxRRyV6oRWANSSfU6Hmmof+p8Ms7zHByQuApBI2ViMlBDcboCdk kORlLgmVvx96Y5DPXsx8Bo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type:in-reply-to; s= smtpout; bh=ROMi4GIDtaBo6AVR9z+vn7jGtXg=; b=SnPV1FXEfcEdnkl9q2f2 CZt3K00kOUhEHHqZpWBlkFmqj0kMj90WaNXlN97DqX07SyfLET95Jpc2oyzUl0aQ fWkfIiy0/vljhO5Js3L4LWKYIP5NnBGCg1qVN74x8brx+dB22K/VJc5zw+PXCaGU J95JyxsiI4rM3XUc7U00VtE= X-Sasl-enc: sIlZAdlDyOm4Vjy9FmxNi3yfj3zdv4yYi3/xzm/XeEmc 1419814203 Date: Mon, 29 Dec 2014 00:49:57 +0000 From: Daniel Shahaf To: Bart Schaefer Cc: zsh-workers@zsh.org Subject: Re: [PATCH] Re: Insecure tempfile creation Message-ID: <20141229004957.GA1737@tarsus.local2> References: <20141222203624.GA24855@tarsus.local2> <141227223029.ZM15959@torch.brasslantern.com> <141227234421.ZM16038@torch.brasslantern.com> <141228004101.ZM28486@torch.brasslantern.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <141228004101.ZM28486@torch.brasslantern.com> User-Agent: Mutt/1.5.21 (2010-09-15) Bart Schaefer wrote on Sun, Dec 28, 2014 at 00:41:01 -0800: > On Dec 27, 11:44pm, Bart Schaefer wrote: > } > } I suppose =(<<<'') would actually be better, since it won't fork. Hm. > } > } This patch does not yet tackle uses of "/tmp" that do not use $TMPPREFIX > > Fortunately I didn't find any of the latter except for the previously > identified one in _cvs (_cvs_run). So the patch below changes the use > of =(:) to =(<<<'') and repairs _cvs_run to create the temp directory > in a safe (I hope) manner. Apply on top of 34067. > First of all, thanks for picking this up. I'd meant to get back to this thread early January, but I'm happy to have been beaten to it :-) Your patches look good to me, including the rmdir, but except for: > - } =(: temporary file) > + } =(<<<'temporary file') I assume =(<<<'') was the intention. Thanks again, Daniel