MOTHBALLED-graphviz icon indicating copy to clipboard operation
MOTHBALLED-graphviz copied to clipboard

Published 20 hours ago verified publisher icon ellson

Insecure Temporary File

Open ihsinme opened this issue 3 years ago • 0 comments

https://github.com/ellson/MOTHBALLED-graphviz/blob/ac239f71ea9f807590505e6862cebe50e992e271/lib/sparse/DotIO.c#L445

Good afternoon. I noticed in your code that the file is being generated, the filename is predictable and you are not setting the file permissions. this can be used to influence other files on the system (via temporary links) with the right to run your program. if it's important you need to use mkstemp or mkdtemp.

ihsinme avatar Oct 25 '21 08:10 ihsinme