Re: os.tmpname security risk?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: os.tmpname security risk?
From: steve donovan <steve.j.donovan@...>
Date: Sat, 2 Jul 2011 19:20:28 +0200

On Sat, Jul 2, 2011 at 12:29 PM, HyperHacker <hyperhacker@gmail.com> wrote:
> But what stops someone from removing that file and creating their own,
> or changing its permissions? It doesn't seem like this really
> mitigates the risk at all.

As the Monty Python skit goes, 'Sheer luxury!'.  os.tmpname() doesn't
even give you a suitable path to a temporary folder on Windows (you
would get something like '\s4n4.'). Not Lua's fault, of course, but
another example of the neglected wasteland known as the Windows C
run-time.

The version I use then is something like os.getenv('TMP')..os.tmpname().

steve d.

Follow-Ups:
- Re: os.tmpname security risk?, Dimiter "malkia" Stanev

References:
- os.tmpname security risk?, HyperHacker

Prev by Date: Re: Suggestion: file:write() and other methods should return file
Next by Date: Re: Delayed evaluation of expressions
Previous by thread: Re: os.tmpname security risk?
Next by thread: Re: os.tmpname security risk?
Index(es):
- Date
- Thread