Re: Braindump: Can we get rid of the font-cache-group question?
Ralf Stubner <email@example.com> wrote:
> Actually, it would work if it points to a file where the attacked has
> write but no read permissions. I am not sure how likely this case is,
> nor how to get around this problem.
Hmmm. Looking at the code you posted, I think it would fail except if
attacking through "$TFMDESTDIR/tfm$$.tmp" when cp is used instead of mv
(presumably a rare case, only happening on DOS). The reason is that if
bar is a symlink, 'mv foo bar' replaces bar, instead of following it. Of
course, if that was so easy, we wouldn't have to use mktemp ever. The
problem is reported a bit earlier, when the mv'ed file is created (here,
$TFMNAME). If it is created in world-writable temp dir, then the attack
can happen there, because $TFMNAME is predictable.
But here, I think it is created in the current directory, right? If this
directory is world-writable, same problem. Otherwise, though it's a bit
ugly to fill the current directory this way, the attack cannot work,
> Actually, I am wondering why this temporary file is used at all. What's
> wrong with
> chmod `kpsestat -xst,go-w "$TFMDESTDIR"` $TFMNAME
> test -r "$TFMDESTDIR/$TFMNAME" || mv $TFMNAME "$TFMDESTDIR" || exit 1
> ? (ignoring DOS and its problems with mv for the moment)
I don't know. BTW, what is it about DOS here? A /bin/sh port for DOS?
Because DOS doesn't have cp, chmod...