kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use mktemp to get the filename for storing the templating script 

Using a fixed string could allow for abuse by anyone who has access to /tmp.
One could place a symbolic link to any file to cause it to be overwritten
when alternc.install is run.
This commit is contained in:
Kienan Stewart 2018-06-20 17:45:16 -04:00 committed by Camille Lafitte
parent bd03632163
commit cbfbb0c21a
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
install/alternc.install
View File

@ -259,9 +259,7 @@ PUBLIC_IP_BEGIN=$(echo $PUBLIC_IP|cut -c 1)
# Secret for PhpMyAdmin sessions # Secret for PhpMyAdmin sessions
PHPMYADMIN_BLOWFISH="$(generate_string 32)" PHPMYADMIN_BLOWFISH="$(generate_string 32)"
# XXX: I assume this is secure if /tmp is sticky (+t) SED_SCRIPT=$(mktemp)
# we should have a better way to deal with templating, of course.
SED_SCRIPT="/tmp/alternc.install.sedscript"
# Escape passwords for sed and restore afterwards # Escape passwords for sed and restore afterwards
# Escaping '&' and '|' since those are used as special characters # Escaping '&' and '|' since those are used as special characters
MYSQL_PASS_ORIG="$MYSQL_PASS" MYSQL_PASS_ORIG="$MYSQL_PASS"