ok, I'll implement this on the w/e, and push it into the upcoming 4.2 release. Thankyou Joey, as usual you've helped us unsafe bumbles again.
Sven On Tue, 2007-10-23 at 20:00 -0400, Joey Hess wrote: > Sven Dowideit wrote: > > neat summary Joey :) > > > > The reason that I made it world writeable, is that twiki cgi's can be > > run from the command line by anyone, and in doing so, create a session > > file. > > > > This is used by cronjobs, and so that users can script additions to > > topics etc. > > Makeing the temporary directory mode 1777 would not prevent that, but > would prevent users from deleting and replacing twiki temp files. > > That and making the opens use O_EXCL, would cover the security issues I > mentioned. > -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner http://wikiring.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
