lyc
/
pwndbg
mirror of https://github.com/pwndbg/pwndbg.git
1
0
Fork 0
Code Releases Activity

fix(tempdir): use safe and unpredictable cachedir location

Browse Source 
The typeinfo module used a static global tempdir location of /tmp/pwndbg
that an attacker may control and prepare symlinks of the predictable
files that are then written to.
pull/972/head
anthraxx 4 years ago committed by Disconnect3d
parent 1c633829de
commit 3583b5704e
3 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File

1
pwndbg/__init__.py
Unescape View File

@ -74,6 +74,7 @@ import pwndbg.proc
import pwndbg.prompt import pwndbg.prompt
import pwndbg.regs import pwndbg.regs
import pwndbg.stack import pwndbg.stack
import pwndbg.tempfile
import pwndbg.typeinfo import pwndbg.typeinfo
import pwndbg.ui import pwndbg.ui
import pwndbg.version import pwndbg.version

36
pwndbg/tempfile.py
Unescape View File

@ -0,0 +1,36 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Common helper and cache for pwndbg tempdir
"""
import os
import tempfile
import pwndbg.memoize
@pwndbg.memoize.forever
def tempdir():
"""
Returns a safe and unpredictable temporary directory with pwndbg prefix.
"""
return tempfile.mkdtemp(prefix='pwndbg-')
@pwndbg.memoize.forever
def cachedir(namespace=None):
"""
Returns and potentially creates a persistent safe cachedir location
based on XDG_CACHE_HOME or ~/.cache
Optionally creates a sub namespace inside the pwndbg cache folder.
"""
cachehome = os.getenv('XDG_CACHE_HOME')
if not cachehome:
cachehome = os.path.join(os.getenv('HOME'), '.cache')
cachedir = os.path.join(cachehome, 'pwndbg')
if namespace:
cachedir = os.path.join(cachedir, namespace)
os.makedirs(cachedir, exist_ok=True)
return cachedir

8
pwndbg/typeinfo.py
Unescape View File

@ -9,13 +9,13 @@ import glob
import os import os
import subprocess import subprocess
import sys import sys
import tempfile
import gdb import gdb
import pwndbg.events import pwndbg.events
import pwndbg.gcc import pwndbg.gcc
import pwndbg.memoize import pwndbg.memoize
import pwndbg.tempfile
module = sys.modules[__name__] module = sys.modules[__name__]
@ -95,10 +95,6 @@ def update():
# Call it once so we load all of the types # Call it once so we load all of the types
update() update()
tempdir = tempfile.gettempdir() + '/pwndbg'
if not os.path.exists(tempdir):
os.mkdir(tempdir)
# Trial and error until things work # Trial and error until things work
blacklist = ['regexp.h', 'xf86drm.h', 'libxl_json.h', 'xf86drmMode.h', blacklist = ['regexp.h', 'xf86drm.h', 'libxl_json.h', 'xf86drmMode.h',
'caca0.h', 'xenguest.h', '_libxl_types_json.h', 'term_entry.h', 'slcurses.h', 'caca0.h', 'xenguest.h', '_libxl_types_json.h', 'term_entry.h', 'slcurses.h',
@ -145,7 +141,7 @@ def load(name):
{name} foo; {name} foo;
'''.format(**locals()) '''.format(**locals())
filename = '%s/%s_%s.cc' % (tempdir, arch, '-'.join(name.split())) filename = '%s/%s_%s.cc' % (pwndbg.tempfile.cachedir('typeinfo'), arch, '-'.join(name.split()))
with open(filename, 'w+') as f: with open(filename, 'w+') as f:
f.write(source) f.write(source)

Write Preview
Loading…
Cancel
Save