Date: Fri, 30 Dec 2005 08:10:45 -0500 From: Martin Cracauer <cracauer@cons.org> To: Andrey Chernov <ache@freebsd.org>, Matt Emmerton <matt@gsicomp.on.ca>, Martin Cracauer <cracauer@cons.org>, Barney Wolff <barney@databus.com>, freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net> Subject: Re: fetch extension - use local filename from content-dispositionheader Message-ID: <20051230081044.A28049@cons.org> In-Reply-To: <20051230035724.GA52167@nagual.pp.ru>; from ache@FreeBSD.ORG on Fri, Dec 30, 2005 at 06:57:24AM %2B0300 References: <20051229221459.A17102@cons.org> <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> <20051230035724.GA52167@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey Chernov wrote on Fri, Dec 30, 2005 at 06:57:24AM +0300: > On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote: > > > Forbidding "/" will set the security to the same level as the base > > > functionality. I like that. > > > > Agreed, although it still leaves open all the security loopholes that were > > mentioned, given the proper cwd and malicious intent on the server end. > > What about "../../../../../../../../../../../../sbin/init" ? Of course I meant I will not allow *any* "/" in the filename. Might have been lost in the translation. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer <cracauer@cons.org> http://www.cons.org/cracauer/ FreeBSD - where you want to go, today. http://www.freebsd.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230081044.A28049>