[Xquartz-dev] ah-HAH! the precise problem here is … (Re: I got it working, but still potential problem (Re: Getting bad DISPLAY value during use of 2.6.1-2.6.2 (not with 2.6.0 & before).)

[Jeremy Huddleston]

On Apr 30, 2011, at 10:36, Peter O'Gorman wrote:

>>  	# Use mktemp rather than mkdir to avoid possible security issue
>>  	# if $dir exists and is a symlink

> I don't understand what this is trying to do, in no case will $dir contain XXXXXX for mktemp to replace with randomness, so in all cases Mac OS X mktemp behaves the same as mkdir ${dir}.

I refer you to the comment in the script.  Using mkdir can lead to a man-in-the-middle attack on those sockets.  That issue was specifically addressed in XQuartz 2.2.0, three years ago (and also a Leopard update at some point... either SecUpdate2008-002 or 10.5.5):

http://xquartz.macosforge.org/trac/wiki/X112.2.0
http://xquartz.macosforge.org/trac/wiki/Releases

--Jeremy