From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 03:15:07 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E157416A41F for ; Fri, 30 Dec 2005 03:15:07 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1434D43D46 for ; Fri, 30 Dec 2005 03:15:06 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper [212.12.50.230]) by schlepper.zs64.net (8.13.3/8.12.9) with ESMTP id jBU3F1nf017153; Fri, 30 Dec 2005 04:15:02 +0100 (CET) (envelope-from cracauer@schlepper.zs64.net) Received: (from cracauer@localhost) by schlepper.zs64.net (8.13.3/8.12.9/Submit) id jBU3F0FV017146; Thu, 29 Dec 2005 22:15:01 -0500 (EST) (envelope-from cracauer) Date: Thu, 29 Dec 2005 22:15:00 -0500 From: Martin Cracauer To: Matt Emmerton Message-ID: <20051229221459.A17102@cons.org> References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com><43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <023f01c60cee$668f60a0$1200a8c0@gsicomp.on.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <023f01c60cee$668f60a0$1200a8c0@gsicomp.on.ca>; from matt@gsicomp.on.ca on Thu, Dec 29, 2005 at 10:09:03PM -0500 Cc: Barney Wolff , freebsd-current@freebsd.org, Martin Cracauer , Sean Bryant Subject: Re: fetch extension - use local filename from content-disposition header X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 03:15:08 -0000 Matt Emmerton wrote on Thu, Dec 29, 2005 at 10:09:03PM -0500: > > Sean Bryant wrote: > > > Barney Wolff wrote: > > > > > >> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote: > > >> > > >> > > >>> I'm a bit rusty, so please point me to style mistakes in the appended > > >>> diff. > > >>> The following diff implements a "-O" option to fetch(1), which, when > > >>> set, will make fetch use a local filename supplied by the server in a > > >>> Content-Disposition header. > > >>> > > >> > > >> Have you considered the security implications of this option? > > >> > > >> > > >> > > > Its just an extra option. I'm sure the details could be summed up in the > > > man page. > > > > I think what Barney means is that if you run fetch(1) as root and the > > server returns the filename as "/sbin/init" bad things will happen. > > The data returned in Content-Disposition should be used with caution. > > Would checking to see if the target file exists, and if so, abort the > operation and display a warning be sufficient to address the security > issues? Of course, we'd need some kind of "force" option to override this > for the foot-shooting folks, and -f is already taken, but that could easily > be documented as a "limitation" of this option. I don't like it since it derives too much from standard behavior which is to use a local name derived from the URL, even if it exists. Also, not overwriting files doesn't cut it for security, you could e.g. create a nonexisting .rhosts or .ssh/authorized_keys or play similar games. Forbidding "/" will set the security to the same level as the base functionality. I like that. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer/ FreeBSD - where you want to go, today. http://www.freebsd.org/