Hi Guillem, * Guillem Jover <[EMAIL PROTECTED]> [2008-07-09 16:36]: > On Wed, 2008-07-09 at 13:16:04 +0200, Nico Golde wrote: > > * Guillem Jover <[EMAIL PROTECTED]> [2008-07-09 09:19]: > > > This game creates the file projectL.prf on the current working dir > > > every time it's run. It should probably create it under a dot dir on > > > the home dir. Setting as important as this might be a security problem > > > (it might even well be RC). > > > > The code that does this seems to be the following from br/prefmanager.d: > > 34 public void save(){ > > 35 auto File fd = new File; > > 36 fd.create(PREF_FILE); > > 37 fd.write(VERSION_NUM); > > 38 _prefData.save(fd); > > 39 fd.close(); > > 40 } > > 41 public PrefData prefData() { > > 42 return _prefData; > > 43 } > > > > Anyone knows if this would follow symlinks and thus opening a symlink > > attack here? > > I have no idea of the d programing language. > > I tested this yesterday and it does follow symlinks.
I had a brief look at the rest of the code, can you confirm that this happens when quitting the game? Added this to the security tracker and I'll request a CVE id for it. Thanks for the heads up! Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpFG22X65hYB.pgp
Description: PGP signature