forwarded 659379 http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1 thanks
Henri Salo scrisse: > > >>This allows local users to steal cookies (and tamper with them). > > > > > >Does this security-issue have CVE-identifier? I can request one > > >from oss-security mailing list if ID hasn't been assigned. > > > > It's been already requested, but not assigned yet AFAICS: > > http://seclists.org/oss-sec/2012/q1/406 > > Ok. Thank you for fast reply. Please contact me if you need testing > or other help. Forwarded to upstream bugtracker and noticed on IRC, I'm waiting for comments on that side. Here's the report: http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1 While waiting for the proper CVE-id, attached here is a tentative patch for the cookie plugin. Just umask setting and chmod on existing jar if any. Reviews appreciated as I'm not a great pythonista... Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG Key ID: 3BFB9FB3 `- http://www.debian.org | Debian GNU/Linux Developer
commit 53d8dfbb6e4fc29be026672f4d3d43a17b3cfe5d
Author: Luca Bruno <lu...@debian.org>
Date: Sat Feb 11 15:23:14 2012 +0100
Restrict third-party access to cookie jar
Make sure new cookie jar is created with no permission for "others",
and remove excessive rights on existing jar if any.
Signed-off-by: Luca Bruno <lu...@debian.org>
diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py
index e29ee36..3d81ebe 100644
--- a/examples/data/plugins/cookies.py
+++ b/examples/data/plugins/cookies.py
@@ -2,7 +2,7 @@
forwards cookies to all other instances connected to the event manager"""
from collections import defaultdict
-import os, re
+import os, re, stat
# these are symbolic names for the components of the cookie tuple
symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5}
@@ -32,6 +32,13 @@ class ListStore(list):
class TextStore(object):
def __init__(self, filename):
self.filename = filename
+ try:
+ # make sure the cookie jar is not world-open
+ perm_mode = os.stat(self.filename).st_mode
+ if (perm_mode & (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) > 0:
+ os.chmod(self.filename, (stat.S_IMODE(perm_mode) >> 3) << 3)
+ except OSError:
+ pass
def as_event(self, cookie):
"""Convert cookie.txt row to uzbls cookie event format"""
@@ -76,6 +83,11 @@ class TextStore(object):
# delete equal cookies (ignoring expire time, value and secure flag)
self.delete_cookie(None, cookie[:-3])
+ # restrict umask before creating the cookie jar
+ curmask=os.umask(0)
+ print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))
+ os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))
+
first = not os.path.exists(self.filename)
with open(self.filename, 'a') as f:
if first:
@@ -86,6 +98,11 @@ class TextStore(object):
if not os.path.exists(self.filename):
return
+ # restrict umask before creating the cookie jar
+ curmask=os.umask(0)
+ print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))
+ os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))
+
# read all cookies
with open(self.filename, 'r') as f:
cookies = f.readlines()
signature.asc
Description: PGP signature
