On Wed, 2011-07-13 at 18:48 +0200, Francois Tigeot wrote: > On Wed, Jul 13, 2011 at 09:16:33AM -0600, Tor Lillqvist wrote: > Do we > really want to have those access() checks there? > > I am not evil > enough to think of a way to abuse that code (insert maniacal > laughter), but in general, isn't that exactly the kind of coding that > could be a security vulnerability? (TOCTTOU seems to be the technical > term, http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use ) > > These were added by Caolán; I've no strong feeling about them. > > Caolán, is there a special reason you added the access() checks ?
Yes, so that you don't end up using a tmp dir you're not able to write to and probably fall over and die. Re TOCTTOU, if someone has the power to replace your $TMPDIR then I think you're doomed anyway. But sure, a) looking around at various apps and libs and what they do, a sufficient number of them just getenv for $TMPDIR and if not set then use /tmp with no precheck that $TMPDIR is writable that there's no real point us attempting any check either given that we're at the top of a stack of things that will fail with an unwriteable $TMPDIR. b) it's probably indeed better to generally bail our early with epic failure if the TMPDIR isn't writable rather than let it run and use a shared /tmp in the face of an explicit attempt-gone-wrong to avoid using a shared /tmp yeah, drop the access and let the callers handle later failure if it happens, happen anyway on a full partition. C. _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice
