Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Insecure tempfile creation

X-seq: zsh-workers 34048
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: zsh workers <zsh-workers@xxxxxxx>
Subject: Re: Insecure tempfile creation
Date: Mon, 22 Dec 2014 18:07:18 -0800
In-reply-to: <CAHYJk3SuwsxGG22+xEV7D9vh_zFOMSrXXCh_Xvg8P_DqxSAfMg@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20141222203624.GA24855@tarsus.local2> <CAHYJk3SuwsxGG22+xEV7D9vh_zFOMSrXXCh_Xvg8P_DqxSAfMg@mail.gmail.com>

On Dec 22, 11:01pm, Mikael Magnusson wrote:
}
} Your first patch is not the best version of that solution;
} 
} +() {
} +  ${=${VISUAL:-${EDITOR:-vi}}} $1
} +  BUFFER="$(<$1)"
} +} =(print -R "$PREBUFFER$BUFFER")

Even that isn't the best formulation, =(<<<"$PREBUFFER$BUFFER") would
avoid forking the print.

} I don't know what the exec </dev/tty is for, but it can be added back
} if it's needed. I've used this patch for two years and never noticed
} any problems though.

Widgets run with stdin closed, so if the chosen editor doesn't open the
tty or one of the other std*s directly, it breaks without </dev/tty.

References:
- Insecure tempfile creation
  - From: Daniel Shahaf
- Re: Insecure tempfile creation
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author