[gopher] Security problems in gopherd (Was Security alert)

To: gopher@complete.org
Subject: [gopher] Security problems in gopherd (Was Security alert)
From: David Allen <s2mdalle@titan.vcu.edu>
Date: Wed, 17 Jan 2001 18:10:31 -0500
Message-id: <[🔎] 20010117181031.A16810@mothra>
Reply-to: gopher@complete.org

John and others - 

There is also still the remaining issue of several uses of the
tempnam() call in gopherd.c.  I've been aware of them and meaning to
fix them for a while, but they seem to store the name of the temp file
in a global called ASKfile.  When I was looking at it, I wasn't able
to determine at the time what other dire consequences I'd cause if I
changed to a different call where the tempfilename wasn't stored in
ASKfile, so I haven't changed it yet.

It seems though that in some places particularly for ASK data, that
the daemon stores the response in a temporary file and then lets other
areas of the code reopen and read that.  (Hence the need for the temp
filename I think)  mkstemp looks like a possible replacement since
there's a way to get the temp filename out of it.

-- 
David Allen
http://opop.nols.com/
----------------------------------------
DISCLAIMER: Regardless of what you read below, I agree with you.

Reply to:

Follow-Ups:
- [gopher] Re: Security problems in gopherd (Was Security alert)
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: [gopher] Re: Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
Next by Date: [gopher] Re: ANN: Gopher Comprehensive Index
Previous by thread: [gopher] Mozilla gopher support status [bugzilla-daemon@mozilla.org] [Bug 49334] Changed - [RFE] Implement gopher
Next by thread: [gopher] Re: Security problems in gopherd (Was Security alert)
Index(es):
- Date
- Thread