lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]


From: Klaus Weide
Subject: Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
Date: Tue, 6 May 1997 23:56:33 -0500 (CDT)

On Tue, 6 May 1997, Henri Torgemane wrote:

> Subject: LYNX-DEV [Fwd: BoS:       A vulnerability in Lynx (all versions)]
> 
> Here's something posted yesterday on a security mailing list.
> You may want to look at it.

Something like the appended wrapper shell script should prevent this.
[ Of course, no guarantees.  Comments?? ]
It should work on Unix(-like) systems for all Lynx versions that
understand the LYNX_TEMP_SPACE environment variable - which may be
all of them.

   Klaus

------------ snip -----------
#!/bin/sh
#
# This wrapper script for Lynx creates a unique subdirectory of /tmp/
# where files can be read and written only by the user, and tries to
# remove it (and any remaining files there) after Lynx exits.
# The environment variable LYNX_TEMP_SPACE is set before launching Lynx,
# so that it will use the subdirectory for temporary files instead of
# (typically) creating them directly in /tmp/.
# It intentionally fails if the subdirectory cannot be created 
# (for example because it already exists).
#
# It could be used by individual users or installed system wide.
# Some things most likely need to be modified.  For example use full
# paths for commands.
#
# Don't use without modification for an anonymous (captive) guest account!
#

# Name for the subdir, most important is "$$" for process id.

# After shell expansion it should only consist of "normal" filename 
# characters [a-zA-Z0-9._-], nothing that would require shell, URL, 
# or HTML escaping.
# *** The subdirectory will be removed on exit ***
#     You have been warned... 

LYNX_TEMP_SPACE=/tmp/LY$$-$USER

# We still may want to use the original umask while Lynx is running
oldumask=`umask`
umask 077 || { echo "$0: cannot change umask!"; exit 1; }
# Create subdir
mkdir $LYNX_TEMP_SPACE || {
        echo "$0: cannot create $LYNX_TEMP_SPACE !"; exit 1; }
# Make sure at least one file exists
touch $LYNX_TEMP_SPACE/.created || {
        echo "$0: cannot create $LYNX_TEMP_SPACE/.created !"; exit 1; }
# Just to make sure...
chmod 700 $LYNX_TEMP_SPACE || {
        echo "$0: cannot chmod $LYNX_TEMP_SPACE !"; exit 1; }
umask $oldumask

# The following line may need to be modified
trap "rm -r $LYNX_TEMP_SPACE; exit \$?" EXIT INT QUIT ILL TRAP IOT KILL PIPE 
TERM
export LYNX_TEMP_SPACE

# Finally, call Lynx.
# You may want to put additional flags that always should be used on
# the following line, -show_cursor and -cookies are only examples
# that work with newer versions.
# Of course, change the path!

/path/to/bin/lynx -show_cursor -cookies "$@"

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]