Security concern/quesion: Temporary folder not deleted!

alexinquest · Post by *alexinquest » 2010-01-26, 00:18 UTC

I run TC on Windows 7 32 bit edition. And the same problem has been also confirmed for Vista.

What happens is I enter an encrypted archive from within TC. Then I press F3 to view a file, enter password. TC extracts it into a temporary directory, which in my case is c:\Users\User Name\AppData\Local\Temp\ and lets me view it.
Then I close the main TC window and TC also closes the Lister window as well without any warning. But the temporary file is still in the _TC folder, it is not deleted (while first overwritten with zeros, as it should be) and is there for everyone to see.

I think it's a serious security problem, unless there is something I don't understand.

MVV · Post by *MVV » 2010-01-26, 03:45 UTC

I create ZIP using packing with password, enter it, open file in Lister and close TC - file left in _tc folder unchanged at all!

BTW, using plugins even more serious problem persists. E.g. yesterday I viewed some files in encrypted 7Z archive, and files left in temp folder unchanged! The problem is that TC can't know if archive is really encrypted. BTW, 7Zip'c caps even don't have flag PK_CAPS_ENCRYPT (0x200) so TC should think that plugin doesn't support encryption. I tried to find if some flag exist that packer returns to TC for encrypted archive, but with no result.

Post by *ghisler(Author) » 2010-01-28, 17:05 UTC

About plugins: TC wipes (overwrite with 0) temp files when the plugin reports PK_CAPS_ENCRYPT. If the plugin doesn't report it, TC cannot know that the files were encrypted.

DrShark · Post by *DrShark » 2010-03-31, 19:55 UTC

Confirm fix in 7.55pb1.

Post by *ghisler(Author) » 2010-04-01, 13:12 UTC

Thanks!