Apache OpenOffice (AOO) Bugzilla – Issue 10626
security: broadcast document to the world on pdf/fax ouput
Last modified: 2003-02-18 10:27:13 UTC
salprnpsp.cxx gets the psprint code to write to a tmpname eg. /tmp/fileNNNNN, which means that the entire document is written to a world readable /tmp/file before it's sent. To replicate, use spadmin to setup a fax / pdf printer, poke at /tmp/ while it's printing - and marvel as well at the _two_ files fileNNNN and fileNNNN.ps (identical lengths) that it dumps out - both with the document in (presumably). While these are deleted afterwards - for any significantly sized document, (and given the duplicate printing) it should be easy to grab a link to the document while it's being printed. This bug also affects StarOffice 6.0
Created attachment 4284 [details] Patch to fix daft security hole
Thank you for calling me daft. If you bothered to look at the link count of those "two" files you would see that they are actually only one.
fixed in CWS vcl03
Sounds like I offended you - sorry. I didn't call you daft ( which is a very mild word incidentally ) - I called the code daft - which it was :-) We all write such things; in fact my suggested patch didn't fix another problem in the mkstemp path; the template string there needs to contain some XXXXXs I believe thus we're missing a: strcpy (tmpfilename, "fileXXXXXX"); Without that I still get problems on Linux printing. I see the 'link' statment in passFileToCommandLine now - so it's only output once indeed: Trying to help ... a thankless task it seems.
No problem. At times i actually am a bit daft :-). Regarding the mkstemp issue i wrote to the IRIX people who invented it, but never got an answer. I wonder why the FreeBSD people simply set onto the same path, but didn't want to simply kick out their code. What are your other Linux printing problems ? And thank you for helping.
verified in vcl03
seen in 644m3