emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: address@hidden: security: url-cookies file stored world-readable, al


From: Daniel Kahn Gillmor
Subject: Re: address@hidden: security: url-cookies file stored world-readable, allowing session hijacking]
Date: Mon, 10 Dec 2007 01:19:16 -0500
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:

> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?

i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see.  i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.

Thanks for the followup,

       --dkg

Attachment: pgp_axrjPIwwj.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]