cron sendmail output

Paul Verrall mrverrall at gmail.com
Fri Aug 2 04:26:51 EDT 2013


Quite right Jonathan, thanks for pointing this out. This sort of thing
is really bad practice.

What we should be looking to do is adding a proper log file location
to /var/log and ensuring the correct permissions. Additionally an
accompanying logrotate config should be added to to stop things
growing for ever more.

However, as get_iplayer's output does not contain any sensitive info,
and more importantly the output is not read back into a process, we're
probably safe in this instance, probably.


On 1 August 2013 19:22, Jonathan Wiltshire <jmw at debian.org> wrote:
> On 2013-08-01 10:40, Paul Verrall wrote:
>>
>> /usr/local/bin/get_iplayer --pvr 2>>/tmp/get_iplayer.log
>
>
> There's an unsafe-use-of-temporary-files attack here.
>
>
> --
> Jonathan Wiltshire                                      jmw at debian.org
> Debian Developer                         http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
>
> <directhex> i have six years of solaris sysadmin experience, from
>             8->10. i am well qualified to say it is made from bonghits
>                         layered on top of bonghits
>
>
> _______________________________________________
> get_iplayer mailing list
> get_iplayer at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/get_iplayer



More information about the get_iplayer mailing list