[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
From: |
Hynek Med |
Subject: |
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)] |
Date: |
Wed, 7 May 1997 13:05:48 +0200 (MET DST) |
On Tue, 6 May 1997, Klaus Weide wrote:
> On Tue, 6 May 1997, Henri Torgemane wrote:
>
> > Subject: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
> >
> > Here's something posted yesterday on a security mailing list.
> > You may want to look at it.
>
> Something like the appended wrapper shell script should prevent this.
> [ Of course, no guarantees. Comments?? ]
Well, it surely works, but I think this should be done from within lynx.
Lynx should have a function for creating temporary files, that should:
a) create the file with 600 pemissions anyway, to guarantee privacy
b) pick a very random name for the file
c) check if the file about to be created isn't already a symlink/hardlink
d) optionally do all this in a subdirectory with 700 permissions as your
script suggests
I don't know any C, does some kind of standart mktemp() function do this
all? Is it available on all systems?
Hynek
PS The fastest solution is to set LYNX_TEMP_SPACE somewhere in $HOME, as
many people suggested.
--
Hynek Med, address@hidden
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;