[Conkeror] Symlink attack possible against conkeror / spawn-process-helper
Axel Beckert
abe at deuxchevaux.org
Mon Jun 9 09:06:31 PDT 2008
Hi,
conkeror respectively spawn-process-helper uses easily predictable
files names ("/tmp/$FIELDNAME.txt") to spawn external editors. This
allows to run symlink attacks[1] against conkeror.
[1] http://en.wikipedia.org/wiki/Symlink_race
Those file names should always contain an unpredictable part like
provided by the file names generated by mktemp(1), mktemp(3) or e.g. in
Perl by File::Temp.
Unfortunately I haven't found the point where the file names are
generated, so I currently can't offer a patch for this issue. It looks
as if it's outside spawn-process-helper, though, so it's either
somewhere in conkeror or somewhere in xulrunner.
Regards, Axel
--
Axel Beckert - abe at deuxchevaux.org, abe at noone.org - http://noone.org/abe/
More information about the Conkeror
mailing list