silkentrance
commented
6 years ago This requires #143.
Closed silkentrance closed 4 years ago
silkentrance
commented
6 years ago This requires #143.
silkentrance
commented
6 years ago With #143 in place this should no longer be a problem unless one is capable of injecting paths relative to the configure default or user provided tmp dir.
silkentrance
commented
4 years ago Still a problem. Reopening.
Operating System
NodeJS Version
Tmp Version
all existing and current code base.
Expected Behavior
options.template can contain arbitrary absolute or relative paths.
Experienced Behavior
Depending on the effective user, tmp will be able to create or delete or replace arbitrary files in the file system.
Security Concern
This can be a major security concern, depending on how applications make use of tmp.