If $HOME
doesn't exist, don't create it with 0777
permissions
#1145
Labels
security
Pull requests that address a security vulnerability
Experienced during #1144
I recognize this is
app_dirs2
defaults taking effect, but perhaps this is something where the defaults should be avoided or worked around (e.g. bail ifapp_dirs2
::
get_app_root
returns a directory that doesn't exist). It is unexpected for a document generation program to create a globally-writeable home directory, which may silently reduce security by allowing any other program running as any user to manipulate the behaviour of programs running as the user that ran Tectonic.Implementing #1144 would allow people to avoid this situation in other ways.
The text was updated successfully, but these errors were encountered: