From owner-freebsd-current@FreeBSD.ORG  Fri Dec 30 13:10:59 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 887CB16A420;
	Fri, 30 Dec 2005 13:10:59 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C53C943D78;
	Fri, 30 Dec 2005 13:10:52 +0000 (GMT)
	(envelope-from cracauer@schlepper.zs64.net)
Received: from schlepper.zs64.net (schlepper [212.12.50.230])
	by schlepper.zs64.net (8.13.3/8.12.9) with ESMTP id jBUDAkkt028133;
	Fri, 30 Dec 2005 14:10:46 +0100 (CET)
	(envelope-from cracauer@schlepper.zs64.net)
Received: (from cracauer@localhost)
	by schlepper.zs64.net (8.13.3/8.12.9/Submit) id jBUDAjP1028132;
	Fri, 30 Dec 2005 08:10:45 -0500 (EST) (envelope-from cracauer)
Date: Fri, 30 Dec 2005 08:10:45 -0500
From: Martin Cracauer <cracauer@cons.org>
To: Andrey Chernov <ache@freebsd.org>, Matt Emmerton <matt@gsicomp.on.ca>,
	Martin Cracauer <cracauer@cons.org>, Barney Wolff <barney@databus.com>, 
	freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net>
Message-ID: <20051230081044.A28049@cons.org>
References: <20051229221459.A17102@cons.org>
	<030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca>
	<20051230035724.GA52167@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20051230035724.GA52167@nagual.pp.ru>;
	from ache@FreeBSD.ORG on Fri, Dec 30, 2005 at 06:57:24AM +0300
Cc: 
Subject: Re: fetch extension - use local filename from
	content-dispositionheader
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2005 13:10:59 -0000

Andrey Chernov wrote on Fri, Dec 30, 2005 at 06:57:24AM +0300: 
> On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > > Forbidding "/" will set the security to the same level as the base
> > > functionality.  I like that.
> > 
> > Agreed, although it still leaves open all the security loopholes that were
> > mentioned, given the proper cwd and malicious intent on the server end.
> 
> What about "../../../../../../../../../../../../sbin/init" ?

Of course I meant I will not allow *any* "/" in the filename.

Might have been lost in the translation.

Martin
-- 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@cons.org>   http://www.cons.org/cracauer/
FreeBSD - where you want to go, today.      http://www.freebsd.org/