Subject: | Insecure /tmp usage in Mail::Audit |
I was just about to reinstall Mail::Audit on a server that had
a much older version. I noticed that in the current code, it creates
terribly insecure temporary files that can no doubt be raced by users
to do nasty things.
$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit";
...
mkdir ($MIME_PARSER_TMPDIR, 0777);
if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" }
$parser->output_under($MIME_PARSER_TMPDIR);
I just thought it was worth reporting, but Mail::Audit is fantastic. thanks for writing it.