Re: [PATCH] Re: Insecure tempfile creation

zsh-workers
 help / color / mirror / code / Atom feed

From: Peter Stephenson <p.stephenson@samsung.com>
To: Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: [PATCH] Re: Insecure tempfile creation
Date: Thu, 08 Jan 2015 14:24:20 +0000	[thread overview]
Message-ID: <20150108142420.141e5f4b@pwslap01u.europe.root.pri> (raw)
In-Reply-To: <150108000821.ZM7996@torch.brasslantern.com>

On Thu, 8 Jan 2015 00:08:21 -0800
Bart Schaefer <schaefer@brasslantern.com> wrote:
> Fortunately, we have the zsh/files module which provides a buitin "ln"
> with well-defined semantics.  Hopefully that's good enough.

It's a little bit tangential, but it's always bothered me that the only
option we have for module builtins of this kind is to import the into
the command namespace under the standard name, trashing the use of the
system-standard utility your code may elsewhere depend on That is, you
can use "command ln" if you need to, but the point is in the majority of
existing code you would never have bothered to do that.

We made special arrangements for (z)stat but that really doesn't scale
well.

Apart from (z)stat, most of the builtins that look like standard utilies
are only there for special cases, e.g. for some reason you can't get to
the file system where they live, in which case there's no real problem.
But for uses like this there potentially is.

pws

next prev parent reply	other threads:[~2015-01-08 14:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-22 20:36 Daniel Shahaf
2014-12-22 22:01 ` Mikael Magnusson
2014-12-23  2:07   ` Bart Schaefer
2014-12-28  6:30 ` Bart Schaefer
2014-12-28  7:44   ` [PATCH] " Bart Schaefer
2014-12-28  8:41     ` Bart Schaefer
2014-12-29  0:49       ` Daniel Shahaf
2014-12-29  4:01         ` Bart Schaefer
2015-01-07 22:03           ` Daniel Shahaf
2015-01-08  6:22             ` Bart Schaefer
2015-01-08  6:48               ` Danek Duvall
2015-01-08  8:08                 ` Bart Schaefer
2015-01-08 14:10                   ` Daniel Shahaf
2015-01-08 14:24                   ` Peter Stephenson [this message]
2015-01-08 16:35                     ` Ray Andrews
2015-01-08 17:40                       ` Peter Stephenson
2015-01-09  2:51                     ` Mikael Magnusson
2015-01-09  9:02                       ` Peter Stephenson
2015-01-09 12:51                         ` Peter Stephenson
2015-01-09 13:35                           ` Peter Stephenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150108142420.141e5f4b@pwslap01u.europe.root.pri \
    --to=p.stephenson@samsung.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).