Impact
When a user runs a keybind action write_scrollback_file, write_screen_file, or write_selection_file, the created file had permissions 0644, allowing any user on the system to read the file. This can leak sensitive or secret information, depending on what was on the screen.
Further, the file is created in the temporary directory and not removed until an external process (not Ghostty) removes it, i.e. a system restart. Therefore, this sensitive or secret information can remain laying around for an indefinite period of time.
Patches
Fixed in Ghostty v1.0.1. The files are now created with mode 0600.
PR: #4201
KevCui Reporter
Impact
When a user runs a keybind action
write_scrollback_file,write_screen_file, orwrite_selection_file, the created file had permissions0644, allowing any user on the system to read the file. This can leak sensitive or secret information, depending on what was on the screen.Further, the file is created in the temporary directory and not removed until an external process (not Ghostty) removes it, i.e. a system restart. Therefore, this sensitive or secret information can remain laying around for an indefinite period of time.
Patches
Fixed in Ghostty v1.0.1. The files are now created with mode
0600.PR: #4201