[aur-general] TU Application: Daniel Bermond (dbermond)
Levente Polyak
anthraxx at archlinux.org
Sun Oct 14 22:10:31 UTC 2018
Hi Daniel,
On 10/14/18 9:49 PM, Daniel Bermond via aur-general wrote:
> I have a project of my own called screencast[4], which is a command line interface to record a X11 desktop using FFmpeg, having support for offline recording, live streaming and the capability of adding some effects. It's written in pure POSIX/portable shellscript.
Just took some seconds of reading screencast and i noticed the following
that you may want to fix as i didn't spot in a 10sec lookup what would
mitigate the following:
https://github.com/dbermond/screencast/blob/HEAD/src/settings_general.sh#L31
You are using /tmp here, you should replace processing with a safe user
owned directory aquired by `mktemp`.
The reason:
Its vulnerable to symlink attacks, you can delete arbitrary user owned
files via:
https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L31
Or steal secret data like ssh or gnipg secret keys by moving it outside
of a user-only accessable folder via a `mv` gadget:
https://github.com/dbermond/screencast/blob/HEAD/src/system.sh#L40
cheers,
Levente
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20181015/da1b1861/attachment.asc>
More information about the aur-general
mailing list