Date: Thu, 29 Dec 2005 20:28:08 -0800 From: John-Mark Gurney <gurney_j@resnet.uoregon.edu> To: Andrey Chernov <ache@freebsd.org>, Matt Emmerton <matt@gsicomp.on.ca>, Martin Cracauer <cracauer@cons.org>, Barney Wolff <barney@databus.com>, freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net> Subject: Re: fetch extension - use local filename from content-dispositionheader Message-ID: <20051230042807.GA68143@funkthat.com> In-Reply-To: <20051230035724.GA52167@nagual.pp.ru> References: <20051229221459.A17102@cons.org> <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> <20051230035724.GA52167@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey A. Chernov wrote this message on Fri, Dec 30, 2005 at 06:57 +0300:
> On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > > Forbidding "/" will set the security to the same level as the base
> > > functionality. I like that.
> >
> > Agreed, although it still leaves open all the security loopholes that were
> > mentioned, given the proper cwd and malicious intent on the server end.
>
> What about "../../../../../../../../../../../../sbin/init" ?
last I checked there was a / or two in that filename... :) and hence
invalid...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230042807.GA68143>