New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict fish_config socket connections (CVE-2014-2914) #1438
Comments
|
See #1441 for a nicer version of this. |
|
Note that #1441 still doesn't stop attackers on the same machine from sending arbitrary code to |
|
Use a token in a query string, perhaps? Or maybe a secret URL prefix? |
|
You can see that sort of thing in the process table unfortunately. |
|
Next silly idea: write the main config page to ~/.config/fish/fish_config.html. Stick a secret token in there, and send the user to file:///HOME/.config/fish/fish_config.html. This might require setting a CORS policy on the server, but that's not so bad. |
- Require an authentication cookie for all requests. - Add a '/start/' handler for setting the authentication cookie. - Use a redirect file to avoid exposing the '/start' URL on the command line, as it contains the cookie value. Fix for CVE-2014-2914. Closes fish-shell#1438.
|
Good idea! I've implemented something similar in #1587. |
- Require an authentication cookie for all requests. - Add a '/start/' handler for setting the authentication cookie. - Use a redirect file to avoid exposing the '/start' URL on the command line, as it contains the cookie value. Fix for CVE-2014-2914. Closes fish-shell#1438.
- Require all requests to use a session path. - Use a redirect file to avoid exposing the '/start' URL on the command line, as it contains the cookie value. Fix for CVE-2014-2914. Closes fish-shell#1438.
- Require all requests to use a session path. - Use a redirect file to avoid exposing the URL on the command line, as it contains the session path. Fix for CVE-2014-2914. Closes #1438.
- Require all requests to use a session path. - Use a redirect file to avoid exposing the URL on the command line, as it contains the session path. Fix for CVE-2014-2914. Closes #1438.
- Require all requests to use a session path. - Use a redirect file to avoid exposing the URL on the command line, as it contains the session path. Fix for CVE-2014-2914. Closes fish-shell#1438.
Before 6d74978 and 44b35f7 anyone* could connect to a running fish_config server and send code to (e.g.) set_prompt, which is obviously bad.
That's been clamped down to localhost-only now, which helps, but it's still possible for someone on your local machine to wait for you to start fish_config and then talk to the server.
There's a perfect API for verifying who is on the other end of a local IP/IPv6 socket - getpeerucred(3). Unfortunately, it's only available on Solaris.
We could include an authentication key in the URL, but that could be read from the command line.
The text was updated successfully, but these errors were encountered: