kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use mktemp to get the filename for storing the templating script 

Using a fixed string could allow for abuse by anyone who has access to /tmp.
One could place a symbolic link to any file to cause it to be overwritten
when alternc.install is run.
This commit is contained in:
Kienan Stewart 2018-06-20 17:45:16 -04:00
parent 71ed8bf5f4
commit 25fb13a240
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
install/alternc.install
View File

@ -201,9 +201,7 @@ PUBLIC_IP_BEGIN=$(echo $PUBLIC_IP|cut -c 1)
# Secret for PhpMyAdmin sessions # Secret for PhpMyAdmin sessions
PHPMYADMIN_BLOWFISH="$(generate_string 24)" PHPMYADMIN_BLOWFISH="$(generate_string 24)"
# XXX: I assume this is secure if /tmp is sticky (+t) SED_SCRIPT=$(mktemp)
# we should have a better way to deal with templating, of course.
SED_SCRIPT="/tmp/alternc.install.sedscript"
cat > $SED_SCRIPT <<EOF cat > $SED_SCRIPT <<EOF
s\\%%hosting%%\\$HOSTING\\; s\\%%hosting%%\\$HOSTING\\;
s\\%%fqdn%%\\$FQDN\\; s\\%%fqdn%%\\$FQDN\\;