Conversation
Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com>
Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com>
Signed-off-by: pinkforest <36498018+pinkforest@users.noreply.github.com>
|
From what I can tell, the only possible issue is a denial of service. As in, tempfile acts like |
|
I don't think we should file an advisory for this one, at least for now. It looks like the security expectations for temporary files creation methods are not clear-cut, and I don't think we should publish an non-actionable advisory for a hypothetical issue. We could continue discussing possible improvements with the maintainer (as @5225225 just asked in Stebalien/tempfile#178 (comment)). |
|
Yeah, "don't do it", or at the very least "do it, but only as a "hey we fixed it in this newer version you should all go update"" seems like the best plan. |
|
Yeah, it seems to me like this would be a very noisy advisory with relatively low impact. Agreed it's fine as encouragement to upgrade. |
|
Yeah agreed, I'll just close and we can re-hash later if needed. As positive note at least we got some upstream fix going. Thanks all 💜 |
3 participants
Since this crate also advertises itself as being secure and portable it might be feasible to remove recommendations and / or flag an advisory either as informational or regular where the crate makes these guarantees and may not provide them.
Stebalien/tempfile#178
We previously recommended to use
tempfileattemporaryhere: #1196https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
Proposal
Removing the recommendation to use
tempfilefrom the earliertemporaryadvisoryAlso removes advertised reference from
tempdirShould we also file an advisory in addition not recommending it ?
There is no real PoC or anything but 🤷♀️
Perhaps we should use the
informatonal = "notice"category finally ?@5225225 and @vks could you review this please ?