[darcs-devel] [issue385] changes --repo=URL failure outside a
repository
Zachary P. Landau
kapheine at divineinvasion.net
Fri Feb 2 17:02:17 PST 2007
> Actually, now that I think about it, I suspect that withTemp is inherently
> insecure, based on what I know, if the temp file is created in /tmp. My
> understanding is that any use of a filename in /tmp is a bug, and of course
> withTemp only allows use of the filename. I don't know all the tricks that
> can be used to take advantage of insecure temp file handling, but that's my
> understanding. Which is why we don't use /tmp for most of our temp files.
Today I realized that I was actually trying to solve the wrong problem.
The issue of where and how to create temporary files is something that
might have a better solution. But with the current logic, connecting to
a remote repository outside of a local repository should still be able
to make a temporary file in $TMPDIR, $DARCS_TMP, or the current
directory.
Darcs tries to create the temporary file at the top of the root
directory. I believe this is because darcs first tries to find a
directory somewhere in our current path. The seekPos function keeps
changing the directory until it gets back to /, and then returns saying
it couldn't find a repository. I believe it'd be better if, when
seekPos couldn't find a repository, it restored the directory it started
in.
I'll try to get a patch together tomorrow. As for tonight, I just got
off of work and I have beer to drink and movies to watch.
--
Zachary P. Landau <kapheine at divineinvasion.net>
GPG: gpg --recv-key 0xC9F82052 | http://divineinvasion.net/kapheine.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.osuosl.org/pipermail/darcs-devel/attachments/20070202/e8be5a8f/attachment.pgp
More information about the darcs-devel
mailing list