From 903fe9de489af8dfb629627178ec918eb6ef4447 Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Thu, 23 Jan 2020 11:52:26 -0700 Subject: [PATCH] webconfig: Use tempfile instead of ~/.cache (#6522) OpenBSD uses [unveil(2)](https://man.openbsd.org/unveil) in chromium and firefox. This means that things outside of directories like ~/Downloads or /tmp are not visible to the browsers. Change webconfig so it uses tempfile.NamedTemporaryFile to create our temp file. --- share/tools/web_config/webconfig.py | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/share/tools/web_config/webconfig.py b/share/tools/web_config/webconfig.py index 793f5848b..702774c91 100755 --- a/share/tools/web_config/webconfig.py +++ b/share/tools/web_config/webconfig.py @@ -21,6 +21,7 @@ import socket import string import subprocess import sys +import tempfile from itertools import chain FISH_BIN_PATH = False # will be set later @@ -1477,32 +1478,14 @@ url = "http://localhost:%d/%s/%s" % (PORT, authkey, initial_tab) # Create temporary file to hold redirect to real server. This prevents exposing # the URL containing the authentication key on the command line (see # CVE-2014-2914 or https://github.com/fish-shell/fish-shell/issues/1438). -if "XDG_CACHE_HOME" in os.environ: - dirname = os.path.expanduser(os.path.expandvars("$XDG_CACHE_HOME/fish/")) -else: - dirname = os.path.expanduser("~/.cache/fish/") +f = tempfile.NamedTemporaryFile(prefix='web_config', suffix='.html', mode='w') -os.umask(0o0077) -try: - os.makedirs(dirname, 0o0700) -except OSError as e: - if e.errno == 17: - pass - else: - raise e - -randtoken = "".join( - random.choice(string.ascii_uppercase + string.digits) for _ in range(6) -) -filename = dirname + "web_config-%s.html" % randtoken - -f = open(filename, "w") f.write(redirect_template_html % (url, url)) -f.close() +f.flush() # Open temporary file as URL # Use open on macOS >= 10.12.5 to work around #4035. -fileurl = "file://" + filename +fileurl = "file://" + f.name esc = get_special_ansi_escapes() print( @@ -1536,4 +1519,4 @@ except KeyboardInterrupt: print("\nShutting down.") # Clean up temporary file -os.remove(filename) +f.close()