Bug 1642729 Comment 15 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

>I don't know if we have a standard for what permission bits we set on what are essentially temp files created on Linux.

From a quick scan through this bug, it looks like the hostile application would potentially be running as the same user? So then it doesn't really matter? If the attacker is potentially another user, it may.

So the question is what API is used to create this "temp file". But looking at the code, it's just doing:

```rv = mLocalImageFile->Create(nsIFile::NORMAL_FILE_TYPE, 0644);
```
>I don't know if we have a standard for what permission bits we set on what are essentially temp files created on Linux.

From a quick scan through this bug, it looks like the hostile application would potentially be running as the same user? So then it doesn't really matter? If the attacker is potentially another user, it may.

So the question is what API is used to create this "temp file". But looking at the code, it's just doing:

```rv = mLocalImageFile->Create(nsIFile::NORMAL_FILE_TYPE, 0644);```
>I don't know if we have a standard for what permission bits we set on what are essentially temp files created on Linux.

From a quick scan through this bug, it looks like the hostile application would potentially be running as the same user? So then it doesn't really matter? If the attacker is potentially another user, it may.

So the question is what API is used to create this "temp file". But looking at the code, it's just doing:

```rv = mLocalImageFile->Create(nsIFile::NORMAL_FILE_TYPE, 0644);```

So it's gonna be world readable.

Back to Bug 1642729 Comment 15