[Conkeror] Symlink attack possible against conkeror / spawn-process-helper
Jeremy Maitin-Shepard
jeremy at jeremyms.com
Mon Jun 9 10:15:49 PDT 2008
Axel Beckert <abe at deuxchevaux.org> writes:
> Hi,
> conkeror respectively spawn-process-helper uses easily predictable
> files names ("/tmp/$FIELDNAME.txt") to spawn external editors. This
> allows to run symlink attacks[1] against conkeror.
> [1] http://en.wikipedia.org/wiki/Symlink_race
> Those file names should always contain an unpredictable part like
> provided by the file names generated by mktemp(1), mktemp(3) or e.g. in
> Perl by File::Temp.
> Unfortunately I haven't found the point where the file names are
> generated, so I currently can't offer a patch for this issue. It looks
> as if it's outside spawn-process-helper, though, so it's either
> somewhere in conkeror or somewhere in xulrunner.
This is actually not a security risk, because the file is opened using
the O_EXCL option, which will fail if a symlink exists.
--
Jeremy Maitin-Shepard
More information about the Conkeror
mailing list