Skip to content
Permalink
Browse files Browse the repository at this point in the history
avoid symlink attacks in __fish_print_packages and spawning fishd
 * use $XDG_CACHE_HOME for __fish_print_packages completion caches
 * when starting fishd, redirect fishd output to /dev/null, not a
   predictable path

Fix for CVE-2014-3219.

Closes #1440.
  • Loading branch information
zanchey committed May 12, 2014
1 parent 6596d91 commit 3225d7e
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 4 deletions.
2 changes: 1 addition & 1 deletion env.cpp
Expand Up @@ -58,7 +58,7 @@
#include "fish_version.h"

/** Command used to start fishd */
#define FISHD_CMD L"fishd ^ /tmp/fishd.log.%s"
#define FISHD_CMD L"fishd ^ /dev/null"

// Version for easier debugging
//#define FISHD_CMD L"fishd"
Expand Down
12 changes: 9 additions & 3 deletions share/functions/__fish_print_packages.fish
Expand Up @@ -12,6 +12,12 @@ function __fish_print_packages
#Get the word 'Package' in the current language
set -l package (_ Package)

# Set up cache directory
if test -z "$XDG_CACHE_HOME"
set XDG_CACHE_HOME $HOME/.cache
end
mkdir -m 700 -p $XDG_CACHE_HOME

if type -f apt-cache >/dev/null
# Do not generate the cache as apparently sometimes this is slow.
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547550
Expand All @@ -31,7 +37,7 @@ function __fish_print_packages

# Caches for 5 minutes
if type -f pacman >/dev/null
set cache_file /tmp/.pac-cache.$USER
set cache_file $XDG_CACHE_HOME/.pac-cache.$USER
if test -f $cache_file
cat $cache_file
set age (math (date +%s) - (stat -c '%Y' $cache_file))
Expand All @@ -51,7 +57,7 @@ function __fish_print_packages

# If the cache is less than six hours old, we do not recalculate it

set cache_file /tmp/.yum-cache.$USER
set cache_file $XDG_CACHE_HOME/.yum-cache.$USER
if test -f $cache_file
cat $cache_file
set age (math (date +%s) - (stat -c '%Y' $cache_file))
Expand All @@ -73,7 +79,7 @@ function __fish_print_packages

# If the cache is less than five minutes old, we do not recalculate it

set cache_file /tmp/.rpm-cache.$USER
set cache_file $XDG_CACHE_HOME/.rpm-cache.$USER
if test -f $cache_file
cat $cache_file
set age (math (date +%s) - (stat -c '%Y' $cache_file))
Expand Down

0 comments on commit 3225d7e

Please sign in to comment.