On 29/09/2011, at 9:34 AM, David Lutterkort wrote: Hi Tong, > > On Wed, 2011-09-28 at 11:33 -0700, [email protected] wrote: >> From: Tong Li <[email protected]> > > first off, congrats, the patch applies now without any warnings. We are > making progress ;) > > I have quite a few comments:
Just noticed something really old, but might still be important as it sounds indicative of a security problem. <snip> > * ... The > mock driver stores its files in /var/tmp (how well does that > actually work under Windows ?) Just to ask the question, does this mean we have an information leak here, where "other users on a server" can potentially get details? Also thinking "race condition", if more than one user is doing stuff with mock at the same time. (?) If such a race can occur, and affect more than just mock, sounds like an easy DoS any time there's a self service user interface. (ie Aeolus) Regards and best wishes, Justin Clift -- Aeolus Community Manager http://www.aeolusproject.org
