Reviewing merge request #11: Use a non-static filename for temporary created files

This is a security problem because an attacker can create a malicious
filename and make minitube crash. The temporarty filenames must always
be non-static. This patch appends a random generated number at the end
of that file.

The bug was found on Gentoo bugzilla by Tomáš Pružina
<tomas.pruzina@gmail.com> and the original patch was created by him as
well.

https://bugs.gentoo.org/show_bug.cgi?id=377929

Commits that would be merged:

Version 1
  • Version 1
  • 7f396ef
  • 70d1780

    • Use a non-static filename for temporary created files

Showing 7f396ef-70d1780

Comments

Pushed new version 1

avatar Markos Chandras | 2011-08-07 12:08:31 UTC

There is a regression in my patch. Old tmp files are not get deleted which is far from optimal. But anyway, you can adjust my patch in your code. Just make sure you don' use static filenames

avatar Markos Chandras | 2011-08-10 10:11:06 UTC

→ State changed from Open to Rejected

A better solution is coming in version 1.6

avatar Flavio Tordini | 2011-10-28 23:01:15 UTC

Add a new comment:

Login or create an account to post a comment

How to apply this merge request to your repository