Re: Another day, another race - lynx 2.7.1

Daniel Reed (djr@NARNIA.N.ML.ORG)
Tue, 17 Mar 1998 18:47:18 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Lloyd Vancil: "Re: IE 4 Bug (Crash with frames)"
Previous message: willy@SNOWYOWL.CSU.AC.RU: "Re: Midnight Commander /tmp race"
Maybe in reply to: Michal Zalewski: "Another day, another race - lynx 2.7.1"

On Tue, 17 Mar 1998, Michal Zalewski wrote:
) I (?) found /tmp race in lynx 2.7.1. Another stupid program, which uses
) global /tmp directory instead of environment variable TMPDIR... When lynx
) downloads something, happily uses /tmp/L{seq number}{pid}TMP.{contents
) extension}. When downloading is done, it creates new file, /tmp/L{last
) number+1}{pid}TMP.html file, which contains html with options like 'Save
) to disk' and will be displayed. Of course it's created unsafely, and may be
) easily exploited to overwrite files or pass your own data to lynx... Eg.
) you may change default 'Save to disk' href to:
[...]
) Fools, fools, fools!!! This is NOT a single-task, single-user environment.
) Rewrite this function or remove it; use mkstemp instead.
This is why I, as well as most other people (I'm assuming), changed the
following section of userdefs.h:

/**************************
* A place to put temporary files, it's almost always in "/tmp/"
* for UNIX systems. If you include "$USER" in the definition
* (e.g., "/tmp/$USER"), Lynx will replace the "$USER" with the
* username of the account which invoked the Lynx image. Such
* directories should already exist, and have protections/ACLs set
* so that only the appropriate user(s) will have read/write access.
* If the path includes a tilde (e.g, "~" or "~/lynxtmp"), Lynx will
* replace the tilde with the full path for the user's home.
* The definition here can be overridden at run time by setting a
* "LYNX_TEMP_SPACE" environment symbol.
*/
#define TEMP_SPACE "/tmp/"

My TEMP_SPACE is set at "~" so unless the users' home directories are
world writable, it isn't a problem (and if the home directories are world
writeable, that user has other, more significant problems than just having
people able to disrupt his lynx session).

That snipped of userdefs.h (which you are recommended to review in step 1
of the INSTALLATION file) is from lynx2.8rel.3, though I clearly recall
setting that similarly when I installed lynx2.7.2 (and I don't see
anything in docs/CHANGES2.7 to indicate anything had changed with regards
to this from 2.7.1 to 2.7.2).

--
Daniel Reed <n@narnia.n.ml.org> (3CE060DD)
System administrator at large...
A computer without Windows is like a fish without a bicycle

Next message: Lloyd Vancil: "Re: IE 4 Bug (Crash with frames)"
Previous message: willy@SNOWYOWL.CSU.AC.RU: "Re: Midnight Commander /tmp race"
Maybe in reply to: Michal Zalewski: "Another day, another race - lynx 2.7.1"