avoid symlink attacks in __fish_print_packages and spawning fishd

* use $XDG_CACHE_HOME for __fish_print_packages completion caches * when starting fishd, redirect fishd output to /dev/null, not a predictable path Fix for CVE-2014-3219. Closes #1440.
2026-06-17 19:21:15 -03:00 · 2014-04-28 23:37:02 +08:00
parent 6596d91c82
commit 3225d7e169
2 changed files with 10 additions and 4 deletions
--- a/env.cpp
+++ b/env.cpp
@@ -58,7 +58,7 @@
 #include "fish_version.h"

 /** Command used to start fishd */
-#define FISHD_CMD L"fishd ^ /tmp/fishd.log.%s"
+#define FISHD_CMD L"fishd ^ /dev/null"

 // Version for easier debugging
 //#define FISHD_CMD L"fishd"