newsboat-2.31-alt1.x86_64	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/newsboat/contrib/getpocket.com/create-pocket-user-token.sh: $ grep /tmp/ /usr/share/doc/newsboat/contrib/getpocket.com/create-pocket-user-token.sh # shamelessy copy this from contrib/bookmark-pinboard TMP_TOKEN=`echo $output | sed 's/^.*\"code\":"\([^"]*\)".*$/\1/'` # redirect user to pocket authentication page AUTH_URL="https://getpocket.com/auth/authorize?request_token=$TMP_TOKEN&redirect_uri=https://github.com/newsboat/newsboat/blob/c8c92a17fa0862fb7a648e88723eb48cb9cb582c/contrib/getpocket.com/after_authentication.md" echo $TMP_TOKEN> /tmp/pocket_token echo "please navigate to $AUTH_URL, active the access. Then press enter" xdg-open $AUTH_URL read dontcare output=`wget "consumer_key=$APPLICATION_CONSUMER_KEY&code=$TMP_TOKEN" https://getpocket.com/v3/oauth/authorize - 2>/dev/null` echo $output > /tmp/input output=`echo $output | sed 's/^.*access_token=\([^&"]*\).*$/\1/'` echo $output > ~/.pocket_access_token;