On Sat, 9 Apr 2011, Bjartur Thorlacius wrote:
> Adam Strzelecki wrote:
>> It is safer to remove this atom just after it is set in case we send
>> some URL containing passwords or auth tokens
> I'm confused as to the state between setting _SURF_GO and removing it.
> It smells like a race condition to me, but then again I don't
> understand X11 properties. I'd like a clarification as to how security
> is kept in the meantime (between setting and removal of _SURF_GO).
Security isn't kept. This seems like more of a prevention of accidental
disclosure than real security. (And therefore pointless...?)
As an example, with this patch applied, run the following:
# start surf, grabbing its ID
$ surf -x
52428803
# in a 'spy' terminal
$ xprop -spy -id 52428803 _SURF_GO
# elsewhere, update _SURF_GO:
$ sprop 52428803 _SURF_GO asdf
The output in the spy terminal is:
_SURF_GO: not found
_SURF_GO(UTF8_STRING) = 0x61, 0x73, 0x64, 0x66 == "asdf"
_SURF_GO: not found
-- Best, BenReceived on Sun Apr 10 2011 - 04:25:47 CEST
This archive was generated by hypermail 2.2.0 : Sun Apr 10 2011 - 04:36:02 CEST