New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict fish_config socket connections (CVE-2014-2914) #1438

Closed
zanchey opened this Issue Apr 28, 2014 · 6 comments

Comments

Projects
None yet
2 participants
@zanchey
Member

zanchey commented Apr 28, 2014

Before 6d74978 and 44b35f7 anyone* could connect to a running fish_config server and send code to (e.g.) set_prompt, which is obviously bad.

That's been clamped down to localhost-only now, which helps, but it's still possible for someone on your local machine to wait for you to start fish_config and then talk to the server.

There's a perfect API for verifying who is on the other end of a local IP/IPv6 socket - getpeerucred(3). Unfortunately, it's only available on Solaris.

We could include an authentication key in the URL, but that could be read from the command line.

@amluto

This comment has been minimized.

Show comment
Hide comment
@amluto

amluto Apr 28, 2014

Contributor

See #1441 for a nicer version of this.

Contributor

amluto commented Apr 28, 2014

See #1441 for a nicer version of this.

@zanchey zanchey added this to the 2.1.1 milestone Apr 29, 2014

@zanchey

This comment has been minimized.

Show comment
Hide comment
@zanchey

zanchey Jun 28, 2014

Member

Note that #1441 still doesn't stop attackers on the same machine from sending arbitrary code to fish_config. I have not been struck by inspiration for a fix on mainstream platforms.

Member

zanchey commented Jun 28, 2014

Note that #1441 still doesn't stop attackers on the same machine from sending arbitrary code to fish_config. I have not been struck by inspiration for a fix on mainstream platforms.

@amluto

This comment has been minimized.

Show comment
Hide comment
@amluto

amluto Jun 28, 2014

Contributor

Use a token in a query string, perhaps? Or maybe a secret URL prefix?

Contributor

amluto commented Jun 28, 2014

Use a token in a query string, perhaps? Or maybe a secret URL prefix?

@zanchey

This comment has been minimized.

Show comment
Hide comment
@zanchey

zanchey Jun 29, 2014

Member

You can see that sort of thing in the process table unfortunately.

Member

zanchey commented Jun 29, 2014

You can see that sort of thing in the process table unfortunately.

@amluto

This comment has been minimized.

Show comment
Hide comment
@amluto

amluto Jun 29, 2014

Contributor

Next silly idea: write the main config page to ~/.config/fish/fish_config.html. Stick a secret token in there, and send the user to file:///HOME/.config/fish/fish_config.html.

This might require setting a CORS policy on the server, but that's not so bad.

Contributor

amluto commented Jun 29, 2014

Next silly idea: write the main config page to ~/.config/fish/fish_config.html. Stick a secret token in there, and send the user to file:///HOME/.config/fish/fish_config.html.

This might require setting a CORS policy on the server, but that's not so bad.

zanchey added a commit to zanchey/fish-shell that referenced this issue Jul 31, 2014

Authenticate connections to web_config service
 - Require an authentication cookie for all requests.
 - Add a '/start/' handler for setting the authentication cookie.
 - Use a redirect file to avoid exposing the '/start' URL on the command
   line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes #1438.
@zanchey

This comment has been minimized.

Show comment
Hide comment
@zanchey

zanchey Jul 31, 2014

Member

Good idea! I've implemented something similar in #1587.

Member

zanchey commented Jul 31, 2014

Good idea! I've implemented something similar in #1587.

zanchey added a commit to zanchey/fish-shell that referenced this issue Jul 31, 2014

Authenticate connections to web_config service
 - Require an authentication cookie for all requests.
 - Add a '/start/' handler for setting the authentication cookie.
 - Use a redirect file to avoid exposing the '/start' URL on the command
   line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes #1438.

zanchey added a commit to zanchey/fish-shell that referenced this issue Aug 3, 2014

Authenticate connections to web_config service
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the '/start' URL on the
   command line, as it contains the cookie value.

Fix for CVE-2014-2914.
Closes #1438.

@zanchey zanchey closed this in 4ae2753 Aug 4, 2014

zanchey added a commit that referenced this issue Aug 8, 2014

Authenticate connections to web_config service
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes #1438.

zanchey added a commit that referenced this issue Aug 8, 2014

Authenticate connections to web_config service
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes #1438.

@zanchey zanchey self-assigned this Sep 1, 2014

jdxcode pushed a commit to jdxcode/fish-shell that referenced this issue Aug 28, 2017

Authenticate connections to web_config service
 - Require all requests to use a session path.
 - Use a redirect file to avoid exposing the URL on the command line, as
   it contains the session path.

Fix for CVE-2014-2914.
Closes #1438.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment