View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003552 | Slicer4 | Core: Extensions | public | 2014-01-10 06:38 | 2017-06-10 08:51 |
Reporter | bpaniagua | Assigned To | matthew-woehlke | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | Slicer 4.3.1 | ||||
Target Version | Slicer 4.4.0 | Fixed in Version | |||
Summary | 0003552: Multi-user Slicer Extension installations - Linux | ||||
Description | In the Imaging Ortholab in School of Dentistry UNC we are finding problems to install extensions in a multi-user Linux environment. The main issue is caused by the fact when an extension gets installed, it first downloads the package in /temp, then it unzips it in the home directory of the user. When that user logs out and another user tries to repeat the same operation, a permissions problem comes because that user is trying to re-download the same package in /temp, that belongs to the previous user and it still exists there. We have a way around it, having a script that runs at logout that deletes all /temp, but we would like to know if this would be something that could be solved. Also, another option is to restart the machine (to get /temp cleaned up), but our users in the lab might not-know/not-remember all these technicalities. Thank you so much in advance!! | ||||
Tags | No tags attached. | ||||
So... pedantically, this is a security vulnerability; the download name is predictable, which could potentially allow an attacker to overwrite the file with their own content, which is then extracted into the user's home directory. Never mind that we are littering the temporary directory with old downloads :-). Better would be to save the download to a temporary file with a guaranteed-unique name, and delete it again when done. |
|
https://github.com/mwoehlke-kitware/Slicer/tree/3552-safe-temporary-for-extension-download changes it to work as suggested in the previous comment. |
|
Fixed in r23041 |
|
Closing resolved issues that have not been updated in more than 3 months. |
|
Import 2017-06-07 23:51:09: master 1e65b561 2014-04-03 11:39:07 mwoehlke Details Diff |
BUG: Use a safe temporary path for download Change extension downloading to use a temporary file for the download location. This ensures that a: we don't clutter the temporary directory with old downloads, b: multiple users can download the same extension using a shared temporary directory (e.g. most UNIX-like systems), and c: the file name is not predictable, which is a security vulnerability. Issue 0003552 git-svn-id: http://svn.slicer.org/Slicer4/trunk@23041 3bd1e089-480b-0410-8dfb-8563597acbee |
||
mod - Base/QTCore/qSlicerExtensionsManagerModel.cxx | Diff File |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-01-10 06:38 | bpaniagua | New Issue | |
2014-01-10 06:38 | bpaniagua | Status | new => assigned |
2014-01-10 06:38 | bpaniagua | Assigned To | => jcfr |
2014-03-06 11:01 | jcfr | Assigned To | jcfr => matthew-woehlke |
2014-03-06 11:01 | jcfr | Target Version | => Slicer 4.4.0 |
2014-03-19 11:59 | matthew-woehlke | Note Added: 0011458 | |
2014-03-19 12:00 | matthew-woehlke | Note Added: 0011459 | |
2014-03-19 12:00 | matthew-woehlke | Status | assigned => feedback |
2014-04-03 08:11 | matthew-woehlke | Note Added: 0011531 | |
2014-04-03 08:11 | matthew-woehlke | Status | feedback => resolved |
2014-04-03 08:11 | matthew-woehlke | Resolution | open => fixed |
2014-04-22 15:53 | jcfr | Relationship added | has duplicate 0002923 |
2014-09-17 22:59 | jcfr | Status | resolved => closed |
2014-09-17 23:01 | jcfr | Note Added: 0012568 | |
2017-06-10 08:51 | Changeset attached | => Slicer master 1e65b561 |