xfce4-genmon-plugin-4.3.0-alt1.x86_64	0	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/xfce4/genmon/scripts/gmail: $ grep /tmp/ /usr/share/xfce4/genmon/scripts/gmail ############################################## # don't change anything below ############################################## # get and save the atom feed curl "$USERNAME":"$PASSWORD" "https://mail.google.com/mail/feed/atom" > /tmp/.gmail # get number of unread messages num_messages=$(grep "(?<=<fullcount>)[^<]+" /tmp/.gmail) # get last checked time last_checked=$(grep "(?<=<modified>)[^<]+" /tmp/.gmail | TZ=$TIMEZONE date +'%r') # get ids, senders and subjects mapfile < <(grep "(?<=<id>)[^<]+" /tmp/.gmail | awk '{print $3}') mapfile < <(grep "(?<=<name>)[^<]+" /tmp/.gmail) mapfile < <(grep "(?<=<title>)[^<]+" /tmp/.gmail | grep Gmail) # prepare tooltip string out=$(for (( i=0; i<$num_messages; i++ )); do echo "${names[i]} - ${subjects[i]}#"; done) toolstr="$(echo $out | sed 's/\# /\n/g' | sed 's/\#//g')" # check to see if there are new, new messages (only notify if something new has arrived) new_msgs=0 if [ $num_messages ]; then if [ /tmp/.gmail.lastid ]; then if [ "${ids[0]}" != "$(cat /tmp/.gmail.lastid)" ]; then echo ${ids[0]} > /tmp/.gmail.lastid let new_msgs=1 fi else echo ${ids[0]} > /tmp/.gmail.lastid let new_msgs=1 fi fi;