Use mktemp to get the filename for storing the templating script
Using a fixed string could allow for abuse by anyone who has access to /tmp. One could place a symbolic link to any file to cause it to be overwritten when alternc.install is run.
This commit is contained in:
Camille Lafitte
parent
bd03632163
commit
cbfbb0c21a
|
|
@ -259,9 +259,7 @@ PUBLIC_IP_BEGIN=$(echo $PUBLIC_IP|cut -c 1)
|
|||
# Secret for PhpMyAdmin sessions
|
||||
PHPMYADMIN_BLOWFISH="$(generate_string 32)"
|
||||
|
||||
# XXX: I assume this is secure if /tmp is sticky (+t)
|
||||
# we should have a better way to deal with templating, of course.
|
||||
SED_SCRIPT="/tmp/alternc.install.sedscript"
|
||||
SED_SCRIPT=$(mktemp)
|
||||
# Escape passwords for sed and restore afterwards
|
||||
# Escaping '&' and '|' since those are used as special characters
|
||||
MYSQL_PASS_ORIG="$MYSQL_PASS"
|
||||
|
|
|
|||
Loading…
Reference in New Issue