[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev sidenote on early removal of files passed to viewers

From: Klaus Weide
Subject: Re: lynx-dev sidenote on early removal of files passed to viewers
Date: Tue, 21 Dec 1999 06:21:30 -0600 (CST)

> > (I'm wondering
> > why you are still doing removal in lynx, rather than in your viewer
> > scripts - but we discussed that, long time ago.)
On Mon, 20 Dec 1999, Henry Nelson wrote:
> Don't trust myself to write a secure script; also, I really don't want
> public access people to even have the ability to execute a shell, let
> alone run a script.  Same [sick] psychology as "if (iscntrl(FROMASCII
> (from_hex(p[1])*16 + from_hex(p[2]))))" in HTParse.c: stop the monkey
> business before it starts.

Well, you're not sick, just cautious... :)

But I'd like to know whether there *is* any additional danger involved
in using a shell script wrapper.  I don't think so, but maybe someone
who knows better can tell us more.

Considering the following two cases:

     VIEWER:application/x-some-type:/usr/local/bin/most +s %s

     VIEWER:application/x-some-type:/usr/local/bin/ %s

     with a /usr/local/bin/ containing:

     #! /bin/sh
     /usr/local/bin/most +s "$1"
     /bin/rm "$1"

(Replace "/usr/local/bin/" with whatever is appropriate in the situation -
it may be some special "safe" place only used by and for the lynx
account.  Maybe /bin/rm should also go there.
Replace "most +s" with whatever command *is* regarded safe enough to
use in the situation.  This command is just an example - although,
supposedly and according to lynx.cfg, "most +s" is safe, whatever
that means exactly.
Replace "application/x-some-type" with some real type, of course.)

Does case (b) increase the opportunity for "monkey business" in any way?

Things to consider:
- Lynx calls VIEWER commands using system(), and system already uses
  /bin/sh.  On anything resembling Unix, AFAIK.  So whatever problems
  there are with executing a shell process for interpreting
  /usr/local/bin/ already would exist in case (a).
- We can know that the single argument (%s in the VIEWER option, $1
  in the script) is always a temp file generated by Lynx, in the usual
  temp space.  So no funny business with spaces or special characters
  in the filename (if the temp directory name is safe - if not, there
  is no safety anyway).
- Assume it doesn't matter to Lynx whether the file exists after the
  VIEWER command returns.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]