Received: with LISTAR (v1.0.0; list gopher);
 Wed, 17 Jan 2001 17:15:25 -0600 (CST)
Return-Path: <opop@erols.com>
Delivered-To: gopher@complete.org
Received: from gtei2.bellatlantic.net (gtei2.bellatlantic.net [199.45.40.146])
	by pi.glockenspiel.complete.org (Postfix) with ESMTP id 4FD243B802
	for <gopher@complete.org>; Wed, 17 Jan 2001 17:15:18 -0600 (CST)
Received: from mothra (adsl-141-152-12-101.bellatlantic.net [141.152.12.101])
	by gtei2.bellatlantic.net (8.9.1/8.9.1) with ESMTP id SAA20730
	for <gopher@complete.org>; Wed, 17 Jan 2001 18:15:07 -0500 (EST)
Received: from x by mothra with local (Exim 3.20 #1 (Debian))
	id 14J1ip-0004Ne-00
	for <gopher@complete.org>; Wed, 17 Jan 2001 18:10:31 -0500
Date: Wed, 17 Jan 2001 18:10:31 -0500
From: David Allen <s2mdalle@titan.vcu.edu>
To: gopher@complete.org
Subject: [gopher] Security problems in gopherd (Was Security alert)
Message-ID: <20010117181031.A16810@mothra>
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
User-Agent: Mutt/1.0.1i
Content-Transfer-Encoding: 8bit
X-archive-position: 120
X-listar-version: Listar v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: s2mdalle@titan.vcu.edu
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:listar@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Listar version 1.0.0
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher


John and others - 

There is also still the remaining issue of several uses of the
tempnam() call in gopherd.c.  I've been aware of them and meaning to
fix them for a while, but they seem to store the name of the temp file
in a global called ASKfile.  When I was looking at it, I wasn't able
to determine at the time what other dire consequences I'd cause if I
changed to a different call where the tempfilename wasn't stored in
ASKfile, so I haven't changed it yet.

It seems though that in some places particularly for ASK data, that
the daemon stores the response in a temporary file and then lets other
areas of the code reopen and read that.  (Hence the need for the temp
filename I think)  mkstemp looks like a possible replacement since
there's a way to get the temp filename out of it.

-- 
David Allen
http://opop.nols.com/
----------------------------------------
DISCLAIMER: Regardless of what you read below, I agree with you.