Use mktemp to get the filename for storing the templating script
Using a fixed string could allow for abuse by anyone who has access to /tmp. One could place a symbolic link to any file to cause it to be overwritten when alternc.install is run.
This commit is contained in:
parent
71ed8bf5f4
commit
25fb13a240
|
|
@ -201,9 +201,7 @@ PUBLIC_IP_BEGIN=$(echo $PUBLIC_IP|cut -c 1)
|
|||
# Secret for PhpMyAdmin sessions
|
||||
PHPMYADMIN_BLOWFISH="$(generate_string 24)"
|
||||
|
||||
# XXX: I assume this is secure if /tmp is sticky (+t)
|
||||
# we should have a better way to deal with templating, of course.
|
||||
SED_SCRIPT="/tmp/alternc.install.sedscript"
|
||||
SED_SCRIPT=$(mktemp)
|
||||
cat > $SED_SCRIPT <<EOF
|
||||
s\\%%hosting%%\\$HOSTING\\;
|
||||
s\\%%fqdn%%\\$FQDN\\;
|
||||
|
|
|
|||
Loading…
Reference in New Issue