Re: [Xquartz-dev] ah-HAH! the precise problem here is … (Re: I got it working, but still potential problem (Re: Getting bad DISPLAY value during use of 2.6.1-2.6.2 (not with 2.6.0 & before).)

On Apr 30, 2011, at 10:36, Peter O'Gorman wrote:

...

# Use mktemp rather than mkdir to avoid possible security issue # if $dir exists and is a symlink

I don't understand what this is trying to do, in no case will $dir contain XXXXXX for mktemp to replace with randomness, so in all cases Mac OS X mktemp behaves the same as mkdir ${dir}.

I refer you to the comment in the script. Using mkdir can lead to a man-in-the-middle attack on those sockets. That issue was specifically addressed in XQuartz 2.2.0, three years ago (and also a Leopard update at some point... either SecUpdate2008-002 or 10.5.5): http://xquartz.macosforge.org/trac/wiki/X112.2.0 http://xquartz.macosforge.org/trac/wiki/Releases --Jeremy