Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict fish_config socket connections (CVE-2014-2914) #1438

Closed
zanchey opened this issue Apr 28, 2014 · 6 comments
Closed

Restrict fish_config socket connections (CVE-2014-2914) #1438

zanchey opened this issue Apr 28, 2014 · 6 comments
Assignees
Milestone

Comments

@zanchey
Copy link
Member

@zanchey zanchey commented Apr 28, 2014

Before 6d74978 and 44b35f7 anyone* could connect to a running fish_config server and send code to (e.g.) set_prompt, which is obviously bad.

That's been clamped down to localhost-only now, which helps, but it's still possible for someone on your local machine to wait for you to start fish_config and then talk to the server.

There's a perfect API for verifying who is on the other end of a local IP/IPv6 socket - getpeerucred(3). Unfortunately, it's only available on Solaris.

We could include an authentication key in the URL, but that could be read from the command line.

@amluto
Copy link
Contributor

@amluto amluto commented Apr 28, 2014

See #1441 for a nicer version of this.

@zanchey zanchey added this to the 2.1.1 milestone Apr 29, 2014
@zanchey
Copy link
Member Author

@zanchey zanchey commented Jun 28, 2014

Note that #1441 still doesn't stop attackers on the same machine from sending arbitrary code to fish_config. I have not been struck by inspiration for a fix on mainstream platforms.

@amluto
Copy link
Contributor

@amluto amluto commented Jun 28, 2014

Use a token in a query string, perhaps? Or maybe a secret URL prefix?

@zanchey
Copy link
Member Author

@zanchey zanchey commented Jun 29, 2014

You can see that sort of thing in the process table unfortunately.

@amluto
Copy link
Contributor

@amluto amluto commented Jun 29, 2014

Next silly idea: write the main config page to ~/.config/fish/fish_config.html. Stick a secret token in there, and send the user to file:///HOME/.config/fish/fish_config.html.

This might require setting a CORS policy on the server, but that's not so bad.

zanchey added a commit to zanchey/fish-shell that referenced this issue Jul 31, 2014
 - Require an authentication cookie for all requests.
 - Add a '/start/' handler for setting the authentication cookie.
 - Use a redirect file to avoid exposing the '/start' URL on the command
   line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes fish-shell#1438.
@zanchey
Copy link
Member Author

@zanchey zanchey commented Jul 31, 2014

Good idea! I've implemented something similar in #1587.

zanchey added a commit to zanchey/fish-shell that referenced this issue Jul 31, 2014
 - Require an authentication cookie for all requests.
 - Add a '/start/' handler for setting the authentication cookie.
 - Use a redirect file to avoid exposing the '/start' URL on the command
   line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes fish-shell#1438.
zanchey added a commit to zanchey/fish-shell that referenced this issue Aug 3, 2014
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the '/start' URL on the
   command line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes fish-shell#1438.
@zanchey zanchey closed this in 4ae2753 Aug 4, 2014
zanchey added a commit that referenced this issue Aug 8, 2014
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes #1438.
zanchey added a commit that referenced this issue Aug 8, 2014
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes #1438.
@zanchey zanchey self-assigned this Sep 1, 2014
jdxcode pushed a commit to jdxcode/fish-shell that referenced this issue Aug 28, 2017
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes fish-shell#1438.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.