[Conkeror] Symlink attack possible against conkeror / spawn-process-helper
Axel Beckert
abe at deuxchevaux.org
Sun Jun 15 05:34:58 PDT 2008
Hi,
On Mon, Jun 09, 2008 at 01:15:49PM -0400, Jeremy Maitin-Shepard wrote:
> > conkeror respectively spawn-process-helper uses easily predictable
> > files names ("/tmp/$FIELDNAME.txt") to spawn external editors. This
> > allows to run symlink attacks[1] against conkeror.
> > [...]
> > Unfortunately I haven't found the point where the file names are
> > generated, so I currently can't offer a patch for this issue. It looks
> > as if it's outside spawn-process-helper, though, so it's either
> > somewhere in conkeror or somewhere in xulrunner.
>
> This is actually not a security risk, because the file is opened using
> the O_EXCL option, which will fail if a symlink exists.
Right. Should have either tried it or found the right point in code
before complaining. :)
Not even Denial-of-Service attacks seem possible, I get
/tmp/comment-1.txt now that a symlink exists. (This time tested! ;-)
Thanks for clarifying this.
I though have the bad feeling that once someone will argue again about
this... But we'll see. :-)
Regards, Axel
--
Axel Beckert - abe at deuxchevaux.org, abe at noone.org - http://noone.org/abe/
More information about the Conkeror
mailing list