Hello, I (?) found /tmp race in lynx 2.7.1. Another stupid program, which uses global /tmp directory instead of environment variable TMPDIR... When lynx downloads something, happily uses /tmp/L{seq number}{pid}TMP.{contents extension}. When downloading is done, it creates new file, /tmp/L{last number+1}{pid}TMP.html file, which contains html with options like 'Save to disk' and will be displayed. Of course it's created unsafely, and may be easily exploited to overwrite files or pass your own data to lynx... Eg. you may change default 'Save to disk' href to: <a href="LYNXDOWNLOAD://Method=-1/File=/tmp/my_own_file/SugFile=blah"> Lynx's /tmp file creation procedure is so poor that it isn't the only vunerability. Source code details/fix: In LYUtils.c, they written their own function to make tmp filename, called tempname. How it works: sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++); Fools, fools, fools!!! This is NOT a single-task, single-user environment. Rewrite this function or remove it; use mkstemp instead. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:48 PDT