Hi Daniel, On 10/14/18 9:49 PM, Daniel Bermond via aur-general wrote:
I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript.
Just took some seconds of reading screencast and i noticed the following that you may want to fix as i didn't spot in a 10sec lookup what would mitigate the following: https://github.com/dbermond/screencast/blob/HEAD/src/settings_general.sh#L31 You are using /tmp here, you should replace processing with a safe user owned directory aquired by `mktemp`. The reason: Its vulnerable to symlink attacks, you can delete arbitrary user owned files via: https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L31 Or steal secret data like ssh or gnipg secret keys by moving it outside of a user-only accessable folder via a `mv` gadget: https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L40 cheers, Levente