lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev Re: A vulnerability in Lynx (all versions) <bug 004352> [BSDI-S


From: Jeffrey C Honig
Subject: lynx-dev Re: A vulnerability in Lynx (all versions) <bug 004352> [BSDI-Support-Request #41289]
Date: Tue, 30 Jun 1998 17:27:13 -0400

This is an old bug report that was just handed to me.  I do not see
any fixes in Lynx 2.8.

The only safe way to work with temporary files in a public directory
(i.e. /tmp) is to use open(..., O_EXCL|O_CREAT, ...).  Anything else
leaves you open to a race condition and the problems documented here.

I've included the source to the Berkeley mkstemp() routine.  You could
use the system's version of this if present, or include your own.
Note that mktemp() isn't secure, only mktemp() is.

Thanks.

Jeff

> Date:         Mon, 5 May 1997 16:48:30 -0400
> Reply-To: fflush <address@hidden>
> Sender: Bugtraq List <address@hidden>
> From: fflush <address@hidden>
> Subject:      A vulnerability in Lynx (all versions)
> To: address@hidden
> 
> Hey all,
> 
> The same problem present in Elm 2.4 PL24 and earlier is present in all
> versions of Lynx (tested on 2.7.1, Linux). When a lynx user D)ownloads a
> file, a temporary file with a predictable name is created to store the file
> until it is completely downloaded. The file is /tmp/L*0TMP.html (the
> extension is .html regardless of actual file type). * is the PID of Lynx,
> and 0 is the download number (the second download would have number 1, and
> so on). Lynx doesn't check for previous existence of this file, and *will*
> write to symlinks. Any local user can create a symbolic link (or hard link,
> for that matter) with this predictable name to one of the Lynx user's files,
> and when this user D)ownloads something, his file will be overwritten by
> whatever he was downloading. If the attacker has some sort of idea as to the
> content of the download (before the fact, obviously) he can write arbitrary
> data to the victim's ~/.rhosts or other crucial file.
> 
> Since there is usually a substantial time space between downloads (in an
> average Lynx session), an attacker has enough time to investigate, and set
> up his/her attack.
> 
> Fix: Why don't people like using mktemp() or tmpfile() ?
> 
> fflush
/*      BSDI $Id: mktemp.c,v 2.2 1997/04/07 13:33:27 bostic Exp $       */

/*
 * Copyright (c) 1987, 1993
 *      The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *      This product includes software developed by the University of
 *      California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)mktemp.c    8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <ctype.h>

static int _gettemp();

mkstemp(path)
        char *path;
{
        int fd;

        return (_gettemp(path, &fd) ? fd : -1);
}

char *
mktemp(path)
        char *path;
{
        return(_gettemp(path, (int *)NULL) ? path : (char *)NULL);
}

static
_gettemp(path, doopen)
        char *path;
        register int *doopen;
{
        extern int errno;
        register char *start, *trv;
        struct stat sbuf;
        u_int pid;

        pid = getpid();
        for (trv = path; *trv; ++trv);          /* extra X's get set to 0's */
        while (*--trv == 'X') {
                *trv = (pid % 10) + '0';
                pid /= 10;
        }

        /*
         * check the target directory; if you have six X's and it
         * doesn't exist this runs for a *very* long time.
         */
        for (start = trv + 1;; --trv) {
                if (trv <= path)
                        break;
                if (*trv == '/') {
                        *trv = '\0';
                        if (stat(path, &sbuf))
                                return(0);
                        if (!S_ISDIR(sbuf.st_mode)) {
                                errno = ENOTDIR;
                                return(0);
                        }
                        *trv = '/';
                        break;
                }
        }

        for (;;) {
                if (doopen) {
                        if ((*doopen =
                            open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
                                return(1);
                        if (errno != EEXIST)
                                return(0);
                }
                else if (lstat(path, &sbuf))
                        return(errno == ENOENT ? 1 : 0);

                /* tricky little algorithm for backward compatibility */
                for (trv = start;;) {
                        if (!*trv)
                                return(0);
                        if (*trv == 'z')
                                *trv++ = 'a';
                        else {
                                if (isdigit(*trv))
                                        *trv = 'a';
                                else
                                        ++*trv;
                                break;
                        }
                }
        }
        /*NOTREACHED*/
}

reply via email to

[Prev in Thread] Current Thread [Next in Thread]