I (?) found /tmp race in lynx 2.7.1. Another stupid program, which uses
global /tmp directory instead of environment variable TMPDIR... When lynx
downloads something, happily uses /tmp/L{seq number}{pid}TMP.{contents
extension}. When downloading is done, it creates new file, /tmp/L{last
number+1}{pid}TMP.html file, which contains html with options like 'Save
to disk' and will be displayed. Of course it's created unsafely, and may be
easily exploited to overwrite files or pass your own data to lynx... Eg.
you may change default 'Save to disk' href to:
<a href="LYNXDOWNLOAD://Method=-1/File=/tmp/my_own_file/SugFile=blah">
Lynx's /tmp file creation procedure is so poor that it isn't the only
vunerability.
Source code details/fix:
In LYUtils.c, they written their own function to make tmp filename, called
tempname. How it works:
sprintf(namebuffer,"%sL%d%uTMP.html",lynx_temp_space,getpid(),counter++);
Fools, fools, fools!!! This is NOT a single-task, single-user environment.
Rewrite this function or remove it; use mkstemp instead.
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=