On Tue, Apr 23, 2013 at 10:48:43AM +0200, Vincent Lefevre wrote: > > ago. There's a reference to it in an earlier comment in this bug: > > > > http://marc.info/?l=mutt-dev&m=128900518711082 > > But there's a race condition, and I think that the name with the > suffix can easily be guessed from the file that has just been > created.
This is solved by using the randomized temporary (sub)directory I mentioned in another post. But even if you don't go that route (it basically requires a global variable to track the tempdir, which some may find distasteful), at least you can use the O_EXCL/link methods to detect the race, and perform a reasonable number of retries. If you try, say, ten times, and they all fail, it's a reasonable assumption that someone is messing with you, and you should investiage that. Worst case, mutt should try the link X times, and fail, indicating that something bad is happening, and then EXIT. > FYI, I've tested your new patch and I'm using it, and it seems to > work well. Good to know, thanks Vincent. It would be nice if someone would actually take the time to review the code... But whatever, I've done my piece, and I think it's quite good. > And yes, it's a pity patches are ignored. Indeed. On Tue, Apr 23, 2013 at 07:47:56AM -0400, grarpamp wrote: > Oops, I tend to see DoS as separate and latter to security :) They're one in the same. Availability is one of the three attributes of information security (the other two being confidentiality and integrity). > > you can add random characters before the suffix, and in case of > > Random chars from where? Right, and now you see why I suggested you should not try to implement your own. Some systems have usable /dev/(u)random, some do not. Those that do not may not have an adequate source of randomness, or finding one may be dependent upon system usage. > Even functions like rand() or random() can be sufficient with a seed > difficult to guess (whether Mutt is interactive or not), This is surprisingly hard, unless your system has a known good way of generating randomness: http://docstore.mik.ua/orelly/networking/puis/ch23_08.htm > Not sure whether this is up to date: > > http://www.gnu.org/software/gnulib/manual/html_node/mkstemps.html That's a lot of systems. This is an annoyingly hard problem. Ideally you want to rely on standard library functions, so you can make it the problem of the operating system. Then, at least, you can tell users to put pressure on the OS vendor to provide reasonable implementations that don't put them at risk. It's kind of a cop-out, but in some ways it may be the best that you can hope for. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpZuszxNq5nr.pgp
Description: PGP signature
