Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Restrict fish_config socket connections (CVE-2014-2914) #1438
That's been clamped down to localhost-only now, which helps, but it's still possible for someone on your local machine to wait for you to start fish_config and then talk to the server.
There's a perfect API for verifying who is on the other end of a local IP/IPv6 socket - getpeerucred(3). Unfortunately, it's only available on Solaris.
We could include an authentication key in the URL, but that could be read from the command line.