avoid symlink attacks in __fish_print_packages and spawning fishd

 * use $XDG_CACHE_HOME for __fish_print_packages completion caches
 * when starting fishd, redirect fishd output to /dev/null, not a
   predictable path

Fix for CVE-2014-3219.

Closes #1440.

1 files changed, 9 insertions, 3 deletions

diff --git a/share/functions/__fish_print_packages.fish b/share/functions/__fish_print_packages.fish
index ec812a64..6755dd6a 100644
--- a/share/functions/__fish_print_packages.fish
+++ b/share/functions/__fish_print_packages.fish
@@ -12,6 +12,12 @@ function __fish_print_packages
 	#Get the word 'Package' in the current language
 	set -l package (_ Package)
 
+	# Set up cache directory
+	if test -z "$XDG_CACHE_HOME"
+		set XDG_CACHE_HOME $HOME/.cache
+	end
+	mkdir -m 700 -p $XDG_CACHE_HOME
+
 	if type -f apt-cache >/dev/null
 		# Do not generate the cache as apparently sometimes this is slow.
 		# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547550
@@ -31,7 +37,7 @@ function __fish_print_packages
 
     # Caches for 5 minutes
 	if type -f pacman >/dev/null
-		set cache_file /tmp/.pac-cache.$USER
+		set cache_file $XDG_CACHE_HOME/.pac-cache.$USER
 		if test -f $cache_file
 			cat $cache_file
 			set age (math (date +%s) - (stat -c '%Y' $cache_file))
@@ -51,7 +57,7 @@ function __fish_print_packages
 
 		# If the cache is less than six hours old, we do not recalculate it
 
-		set cache_file /tmp/.yum-cache.$USER
+		set cache_file $XDG_CACHE_HOME/.yum-cache.$USER
 			if test -f $cache_file
 			cat $cache_file
 			set age (math (date +%s) - (stat -c '%Y' $cache_file))
@@ -73,7 +79,7 @@ function __fish_print_packages
 
 		# If the cache is less than five minutes old, we do not recalculate it
 
-		set cache_file /tmp/.rpm-cache.$USER
+		set cache_file $XDG_CACHE_HOME/.rpm-cache.$USER
 			if test -f $cache_file
 			cat $cache_file
 			set age (math (date +%s) - (stat -c '%Y' $cache_file))