Closed Bug 107088 Opened 23 years ago Closed 23 years ago

mozilla creates world-readable temp files

Categories

(Core Graveyard :: File Handling, defect)

Product:
Core Graveyard
Component:
File Handling
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: ayurchen, Assigned: law)

Details

(Keywords: privacy, Whiteboard: fix-in-hand)

Attachments

(1 file, 1 obsolete file)

Updated patch with additional occurrence changed.
1.88 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
when mozilla downloads a file to launch a plugin on it
(e.g. mp3 player) it sotres the file in /tmp directory
which by default is open to the world, moreover, the file
has world readable permissions. If mozilla crashes,
those files stay there forever, it wouldn't delete them
on restart.

1) shouldn't those files be stored in a private directory?
maybe a subdir in /tmp, but closed to the world, so that
on restart those files could be located easily and deleted.

2) shouldn't those files ultimately be handled through the
common cache mechanism, like regular images and html docs?
Why can't they be just ordinary items in cache?

*** This bug has been marked as a duplicate of 55690 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
vrfy dupe
Status: RESOLVED → VERIFIED
for now, the TMPDIR env var should override /tmp, do what you like w/ it. if 
you want, we can even relnote it.
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
Summary: mozilla creates world-readable files in /tmp → mozilla creates world-readable temp files
http://lxr.mozilla.org/seamonkey/source/uriloader/exthandler/nsExternalHelperApp
Service.cpp#921

 mTempFile->CreateUnique(nsIFile::NORMAL_FILE_TYPE, 0644);

http://lxr.mozilla.org/seamonkey/source/uriloader/exthandler/nsExternalHelperApp
Service.cpp#929

 rv = fts->CreateTransport(mTempFile, PR_WRONLY | PR_CREATE_FILE, 0664, 
getter_AddRefs(fileTransport));

Change perms to 0600 in both cases and this problem should be solved.  Setting 
status to new...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Boris, can you review that, then?

Not being a Unix hacker, I interpret that change to mean we grant no priveleges
to group/world?
Scott, can you sr= that, please?
Target Milestone: --- → mozilla0.9.9
Bill, could you make the same change in line 1091 in the same file?  It
currently has:

rv = mFinalFileDestination->CreateUnique(nsIFile::NORMAL_FILE_TYPE, 0644);

This is the creation of the nsIFile we copy to before launching the helper... 
Change that to be 0600 instead of 0644.  With that change also, r=bzbarsky.

And yes, that change gives no rights to group/world
sr=darin with the additional change suggested by bz.
OK, got that one, too.

Will go in ASAP.
Attachment #66057 - Attachment is obsolete: true
Comment on attachment 66182 [details] [diff] [review]
Updated patch with additional occurrence changed.

marking reviews (r=bzbarsky, sr=darin)
Attachment #66182 - Flags: superreview+
Attachment #66182 - Flags: review+
Whiteboard: fix-in-hand
fixed
Status: NEW → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
vrfy'd fixed using 2002.02.04.17 comm bits on linux rh7.2. tested with both
downloading a file and opening a file with a helper app: in both cases the temp
file [located in /tmp] only had r/w privs for the user [600].
Status: RESOLVED → VERIFIED
The fix for this bug might have caused bug 124814.
It did, and that's a dup
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: