From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 03:40:40 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A53D16A420 for ; Fri, 30 Dec 2005 03:40:40 +0000 (GMT) (envelope-from sean@cyberwang.net) Received: from imf22aec.mail.bellsouth.net (imf22aec.mail.bellsouth.net [205.152.59.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01AD943D5A for ; Fri, 30 Dec 2005 03:40:34 +0000 (GMT) (envelope-from sean@cyberwang.net) Received: from ibm67aec.bellsouth.net ([68.19.113.81]) by imf22aec.mail.bellsouth.net with ESMTP id <20051230033704.TDLB18781.imf22aec.mail.bellsouth.net@ibm67aec.bellsouth.net> for ; Thu, 29 Dec 2005 22:37:04 -0500 Received: from [192.168.10.100] (really [68.19.113.81]) by ibm67aec.bellsouth.net with ESMTP id <20051230033704.GCVT12654.ibm67aec.bellsouth.net@[192.168.10.100]>; Thu, 29 Dec 2005 22:37:04 -0500 Message-ID: <43B4AB57.3050406@cyberwang.net> Date: Thu, 29 Dec 2005 22:36:55 -0500 From: Sean Bryant User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matt Emmerton References: <20051229193328.A13367@cons.org><20051230021602.GA9026@pit.databus.com><43B498DF.4050204@cyberwang.net><43B49B22.7040307@gmail.com><023f01c60cee$668f60a0$1200a8c0@gsicomp.on.ca> <20051229221459.A17102@cons.org> <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> In-Reply-To: <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Barney Wolff , Martin Cracauer , freebsd-current@freebsd.org Subject: Re: fetch extension - use local filename from content-dispositionheader X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 03:40:40 -0000 Matt Emmerton wrote: >>Matt Emmerton wrote on Thu, Dec 29, 2005 at 10:09:03PM -0500: >> >> >>>>Sean Bryant wrote: >>>> >>>> >>>>>Barney Wolff wrote: >>>>> >>>>> >>>>> >>>>>>On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>I'm a bit rusty, so please point me to style mistakes in the >>>>>>> >>>>>>> >appended > > >>>>>>>diff. >>>>>>>The following diff implements a "-O" option to fetch(1), which, >>>>>>> >>>>>>> >when > > >>>>>>>set, will make fetch use a local filename supplied by the server >>>>>>> >>>>>>> >in a > > >>>>>>>Content-Disposition header. >>>>>>> >>>>>>> >>>>>>> >>>>>>Have you considered the security implications of this option? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>Its just an extra option. I'm sure the details could be summed up in >>>>> >>>>> >the > > >>>>>man page. >>>>> >>>>> >>>>I think what Barney means is that if you run fetch(1) as root and the >>>>server returns the filename as "/sbin/init" bad things will happen. >>>>The data returned in Content-Disposition should be used with caution. >>>> >>>> >>>Would checking to see if the target file exists, and if so, abort the >>>operation and display a warning be sufficient to address the security >>>issues? Of course, we'd need some kind of "force" option to override >>> >>> >this > > >>>for the foot-shooting folks, and -f is already taken, but that could >>> >>> >easily > > >>>be documented as a "limitation" of this option. >>> >>> >>I don't like it since it derives too much from standard behavior which >>is to use a local name derived from the URL, even if it exists. >> >>Also, not overwriting files doesn't cut it for security, you could >>e.g. create a nonexisting .rhosts or .ssh/authorized_keys or play >>similar games. >> >>Forbidding "/" will set the security to the same level as the base >>functionality. I like that. >> >> > >Agreed, although it still leaves open all the security loopholes that were >mentioned, given the proper cwd and malicious intent on the server end. > >-- >Matt Emmerton > >_______________________________________________ >freebsd-current@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-current >To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > > Well the programmer can only do so much, after that its up to the user. Sanitize the filename before writing it. just escape troublesome characters.