Quite right Jonathan, thanks for pointing this out. This sort of thing is really bad practice.
What we should be looking to do is adding a proper log file location to /var/log and ensuring the correct permissions. Additionally an accompanying logrotate config should be added to to stop things growing for ever more. However, as get_iplayer's output does not contain any sensitive info, and more importantly the output is not read back into a process, we're probably safe in this instance, probably. On 1 August 2013 19:22, Jonathan Wiltshire <j...@debian.org> wrote: > On 2013-08-01 10:40, Paul Verrall wrote: >> >> /usr/local/bin/get_iplayer --pvr 2>>/tmp/get_iplayer.log > > > There's an unsafe-use-of-temporary-files attack here. > > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > > <directhex> i have six years of solaris sysadmin experience, from > 8->10. i am well qualified to say it is made from bonghits > layered on top of bonghits > > > _______________________________________________ > get_iplayer mailing list > get_iplayer@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/get_iplayer _______________________________________________ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer