Insecure use of /tmp #81

jwilk · 2018-03-04T17:19:44Z

The way vim-anywhere uses /tmp is insecure. Malicious local user could create /tmp/vim-anywhere, make it writable to everyone, and then read or tamper with other users' files in this directory. In the worst case, when a victim uses vim-anywhere to create a shell script to be pasted to shell, they could end up with arbitrary code execution.

Please use mktemp -d for creating temporary directories.

The text was updated successfully, but these errors were encountered:

Closes cknadler#81

fix cknadler#81

timbaileyjones · 2023-12-20T05:39:07Z

The PR#4 for this issue was merged, but this ticket remains open.

Somebody wanna close it?

StefanSchroeder · 2024-11-17T20:50:47Z

For the record: This insecure use is captured in https://cwe.mitre.org/data/definitions/377.html

lucaskanashiro added a commit to lucaskanashiro/vim-anywhere that referenced this issue Mar 5, 2018

Use mktemp to create temporary directory and files

9412e8b

Closes cknadler#81

lucaskanashiro mentioned this issue Mar 5, 2018

Use mktemp to create temporary directory and files #85

Open

Strus added a commit to Strus/vim-anywhere that referenced this issue May 1, 2022

Create temporary file safely using mktemp

a55f7a5

fix cknadler#81

MaG21 mentioned this issue Dec 24, 2022

Use mktemp to create temporary directory and files MaG21/vim-anywhere#4

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Insecure use of /tmp #81

Insecure use of /tmp #81

jwilk commented Mar 4, 2018

timbaileyjones commented Dec 20, 2023

StefanSchroeder commented Nov 17, 2024

Insecure use of /tmp #81

Insecure use of /tmp #81

Comments

jwilk commented Mar 4, 2018

timbaileyjones commented Dec 20, 2023

StefanSchroeder commented Nov 17, 2024