Open
Description
Hello,
When a preprocessor (pp) is used, the input file is passed as an argument to the preprocessor executable and then redirected to a temporary file before being read again and deleted.
merlin/src/ocaml/driver/pparse.ml
Line 162 in ce92495
The first problem I have is that, when correctly read, the temporary file is never deleted which leads to an accumulation of merlinpp****.out in the /tmp/ directory. I propose a simple fix of this issue in PR #1801.
The second problem is that the temporary file is created, at least on Linux, via a redirection of the stdout of the preprocessor program to a temporary file.
Line 787 in ce92495
So, the permissions of this file are by default, at least on my computer,
0o644 which means everybody can read its content. Note that in the case of the input file, it is copied via a call to the function Filename.temp_file that uses permissions 0o600 (only owner can read and write).I know this file only exists briefly (at least after the patch), and reading the source files requires being able to execute commands, but I'm not comfortable having source files accessible to everyone.
A possible fix could be to first create the source file via
Filename.temp_file and then write into it with the redirection? I think this is the only place where the function System.run_in_directory is used with the stdout argument set. Should I include this in the PR? Should the creation of such a file be done in System.run_in_directory or in pparse.ml?
Have a good day!
Metadata
Metadata
Assignees
Labels
No labels