Axel Beckert <[EMAIL PROTECTED]> writes:
> Hi,
> conkeror respectively spawn-process-helper uses easily predictable
> files names ("/tmp/$FIELDNAME.txt") to spawn external editors. This
> allows to run symlink attacks[1] against conkeror.
> [1] http://en.wikipedia.org/wiki/Symlink_race
> Those file names should always contain an unpredictable part like
> provided by the file names generated by mktemp(1), mktemp(3) or e.g. in
> Perl by File::Temp.
> Unfortunately I haven't found the point where the file names are
> generated, so I currently can't offer a patch for this issue. It looks
> as if it's outside spawn-process-helper, though, so it's either
> somewhere in conkeror or somewhere in xulrunner.
This is actually not a security risk, because the file is opened using
the O_EXCL option, which will fail if a symlink exists.
--
Jeremy Maitin-Shepard
_______________________________________________
Conkeror mailing list
Conkeror@mozdev.org
https://www.mozdev.org/mailman/listinfo/conkeror
