Restrict fish_config socket connections (CVE-2014-2914) #1438
That's been clamped down to localhost-only now, which helps, but it's still possible for someone on your local machine to wait for you to start fish_config and then talk to the server.
There's a perfect API for verifying who is on the other end of a local IP/IPv6 socket - getpeerucred(3). Unfortunately, it's only available on Solaris.
We could include an authentication key in the URL, but that could be read from the command line.
The text was updated successfully, but these errors were encountered: