You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
it seems like g10k hardcodes /tmp/g10k as a cache directory for the modules it downloads. this seems unsafe: if an (local) attacker knows about this, they can prepopulate the directory with evil files that they own.
another directory should be used, for example /var/cache/g10k (when running as root) or ~/.cache/g10k (otherwise). see also https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for that standard. otherwise we could follow the lead set by librarian and just use the directory where the Puppetfile is...
I understand that I can specify the -cachedir commandline parameter (or the g10k_cachedir environment) to work around this problem, but I think proper defaults should be enforced, especially since it's not possible to specify the cache directory in a puppetfile.
The text was updated successfully, but these errors were encountered:
hi
it seems like g10k hardcodes /tmp/g10k as a cache directory for the modules it downloads. this seems unsafe: if an (local) attacker knows about this, they can prepopulate the directory with evil files that they own.
another directory should be used, for example
/var/cache/g10k(when running as root) or~/.cache/g10k(otherwise). see also https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for that standard. otherwise we could follow the lead set by librarian and just use the directory where the Puppetfile is...I understand that I can specify the
-cachedircommandline parameter (or theg10k_cachedirenvironment) to work around this problem, but I think proper defaults should be enforced, especially since it's not possible to specify the cache directory in a puppetfile.The text was updated successfully, but these errors were encountered: