Insecure temporary file use

[p-mongo]

m hardcodes /tmp/m.log as its log path and writes to that file even if it exists. An unprivileged user can set up a symlink from this path to anywhere on the system, and if m is invoked as, say, root this can allow unprivileged users to overwrite arbitrary files on the system causing a denial of service.

Using mktemp should be an improvement over the current situation.

[stennie]

Thanks @p-mongo! The log file is only used when unpacking a downloaded tarball (and only potentially useful in the event of error). I've updated to use mktemp as suggested.

Regards, Stennie