r15451 - gnucash/branches/2.0 - /tmp/qof.trace or /tmp/gnucash.trace is opened for writing directly.
Derek Atkins
warlord at cvs.gnucash.org
Sun Jan 28 12:40:38 EST 2007
Author: warlord
Date: 2007-01-28 12:40:36 -0500 (Sun, 28 Jan 2007)
New Revision: 15451
Trac: http://svn.gnucash.org/trac/changeset/15451
Modified:
gnucash/branches/2.0/
gnucash/branches/2.0/ChangeLog
gnucash/branches/2.0/lib/libqof/qof/qoflog.c
Log:
/tmp/qof.trace or /tmp/gnucash.trace is opened for writing directly.
This could be a security issue if someone else, say, makes a symlink
to somewhere else. Instead, create a tempfile and then rename it
into place which is safe against the symlink attack.
Patch by Bill Nottingham <notting at redhat.com>
Audit by hampton
Merge from r15435
More information about the gnucash-patches
mailing list