Le Thursday 13 November 2008 09:53:55 David Baelde, vous avez écrit : > I've just seen the Debian bug about temporary files: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496360 > > If I understand correctly, what's wrong is to generate a temporary filename > and assume that it is available without checking. Then, somebody may figure > out what we generate and has a handle on controlling the behavior of the > app (change the config, corrupt the logs, put illegal music on air, etc.)
Or create a symlink before application is launched, and make it erase the destination file. > It's currently been partly addresses in liGuidsoap. What remains to be done > is not to log in /tmp/liguidsoap-PID.log. I presume that it could be done > easily using tempfile -- I'll try to do that soon, but it annoys me to > maintain lig. Yea. There still is a bit of randomization since the pid cannot be predicted, though the SSH maintainers found this was not enough random... :-D > Concerning liquidsoap itself, there is no such flaw, as far as I can see. > Currently temporary files are used by default only for protocol > resolutions, i.e. when downloading (http) or synthesizing (say) a file. > In these cases Filename.temp_file is used, and it does provide a new, > unused, file. Fine! Romain ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Savonet-devl mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/savonet-devl
