2 files changed, 23 insertions, 4 deletions

diff --git a/attach.c b/attach.c
index 06dc12b3..7efba875 100644
--- a/attach.c
+++ b/attach.c
@@ -108,7 +108,8 @@ int mutt_compose_attachment (BODY *a)
 	  if (mutt_yesorno (_("Can't match nametemplate, continue?"), M_YES) != M_YES)
 	    goto bailout;
 	}
-	unlink_newfile = 1;
+	else
+	  unlink_newfile = 1;
       }
       else
 	strfcpy(newfile, a->filename, sizeof(newfile));
@@ -173,7 +174,11 @@ int mutt_compose_attachment (BODY *a)
 	    fclose (fp);
 	    fclose (tfp);
 	    mutt_unlink (a->filename);  
-	    mutt_rename_file (tempfile, a->filename); 
+	    if (mutt_rename_file (tempfile, a->filename) != 0) 
+	    {
+	      mutt_perror _("Failure to rename file.");
+	      goto bailout;
+	    }
 
 	    mutt_free_body (&b);
 	  }
@@ -235,7 +240,8 @@ int mutt_edit_attachment (BODY *a)
 	  if (mutt_yesorno (_("Can't match nametemplate, continue?"), M_YES) != M_YES)
 	    goto bailout;
 	}
-	unlink_newfile = 1;
+	else
+	  unlink_newfile = 1;
       }
       else
 	strfcpy(newfile, a->filename, sizeof(newfile));
@@ -607,6 +613,7 @@ int mutt_view_attachment (FILE *fp, BODY *a, int flag, HEADER *hdr,
 
     rc = mutt_do_pager (descrip, pagerfile,
 			M_PAGER_ATTACHMENT | (is_message ? M_PAGER_MESSAGE : 0), &info);
+    *pagerfile = '\0';
   }
   else
     rc = 0;
diff --git a/lib.c b/lib.c
index 33d57571..19473c97 100644
--- a/lib.c
+++ b/lib.c
@@ -181,13 +181,25 @@ char *mutt_strlower (char *s)
 
 void mutt_unlink (const char *s)
 {
+  int fd;
+  int flags;
   FILE *f;
   struct stat sb;
   char buf[2048];
+
+  /* Defend against symlink attacks */
+  
+#ifdef O_NOFOLLOW 
+  flags = O_RDWR | O_NOFOLLOW;
+#else
+  flags = O_RDWR;
+#endif
   
   if (stat (s, &sb) == 0)
   {
-    if ((f = fopen (s, "r+")))
+    if ((fd = open (s, flags)) < 0)
+      return;
+    if ((f = fdopen (fd, "r+")))
     {
       unlink (s);
       memset (buf, 0, sizeof (buf));