Re: [dev] [surf] [PATCHES] (1) GConf URL schema handlers (2) delete _SURF_GO xprop (3) close stdout sending XID

From: Bjartur Thorlacius <svartman95_AT_gmail.com>
Date: Sat, 9 Apr 2011 10:27:47 +0000

On 4/7/11, Nick <suckless-dev_AT_njw.me.uk> wrote:
> Quoth Bjartur Thorlacius:
>> On 4/7/11, Adam Strzelecki <ono_AT_java.pl> wrote:
>> > (2) surf-2-delete-_SURF_GO-once-received.patch
>> >
>> > This xprop (atom) may be used to tell *surf* to go to specific URL. It
>> > is
>> > safer to remove this atom just after it is set in case we send some URL
>> > containing passwords or auth tokens such as
>> > http://login:mypassword@myserver.com/
>> > Anyway _SURF_URI will represents current page URL, so keeping _SURF_GO
>> > makes
>> > no sense. In our case it is matter of safety to not expose this one.
>> >
>> Is there no race condition inherent? What happens if you try to read
>> _SURF_GO just after it's set?
>
> _SURF_GO shouldn't be read, though, it's only used for telling surf
> to load a new page. Unless I'm misunderstanding your point.
>
If it can't be read, then what's the original security breach?
Received on Sat Apr 09 2011 - 12:27:47 CEST

This archive was generated by hypermail 2.2.0 : Sat Apr 09 2011 - 12:36:03 CEST