file-rename-utils-1.7.3-alt1_10.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/htmlrename: $ grep /tmp/ /usr/bin/htmlrename old4=$(echo "$old3" | sed "s/!/%21/g") old5=$(echo "$old4" | sed "s/\`/%60/g") old6=$(echo "$old5" | sed "s/»/%BB/g") # this ~shouldn't~ normally fail, excepting unforseen punctuation if ! sed "s/$old1\|$old2\|$old3\|$old4\|$old5\|$old6/$new/g" "$1$suffix" >/tmp/htmlrename$$ then echo "$Name: substitution failed, files unaltered." exit 1 else # don't kill oldhtml in case of failure (esp. vfat f/s) (if [ "$suffix" ] ; then # f-ing firefox insists on saving without the .htm extension, so if there's no ".htm" , add it mv /tmp/htmlrename$$ "$2.htm" else mv /tmp/htmlrename$$ "$2$suffix" fi ) && \ mv "$1$suffix" /tmp/htmlrename && \ mv "$old" "$new" exit $? fi;