You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@libcloud.apache.org by "daveb (Reopened) (JIRA)" <ji...@apache.org> on 2011/10/20 15:36:10 UTC

[dev] [jira] [Reopened] (LIBCLOUD-95) if LIBCLOUD_DEBUG is a digit the location d = "/tmp/libcloud_debug.log" is used

     [ https://issues.apache.org/jira/browse/LIBCLOUD-95?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

daveb reopened LIBCLOUD-95:
---------------------------


Sorry, I never got an email follow up to the reply to this issue.
Actually, the concern is that the use of the hard-coded location without proper pre-checks is a case of "Insecure Temporary File" http://cwe.mitre.org/data/definitions/377.html . I know this is a debug mode, but doing it _right_ tm is always a good thing :-)
                
> if LIBCLOUD_DEBUG is a digit the location  d = "/tmp/libcloud_debug.log" is used
> --------------------------------------------------------------------------------
>
>                 Key: LIBCLOUD-95
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-95
>             Project: Libcloud
>          Issue Type: Bug
>            Reporter: daveb
>
> if LIBCLOUD_DEBUG is a digit the location  "/tmp/libcloud_debug.log" is used for logging (data is appended to the file) when libcloud is imported. /tmp/libcloud_debug.log could potentially be a symbolic link to another file, e.g. /home/hi/.bashrc. 
> see https://github.com/apache/libcloud/blob/4223c8e235337fbb2935eb0e6c78eab50b158609/libcloud/__init__.py line 54.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira