From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 13:47:43 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AF8816A41F for ; Fri, 30 Dec 2005 13:47:43 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper.zs64.net [212.12.50.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53F0943D45 for ; Fri, 30 Dec 2005 13:47:42 +0000 (GMT) (envelope-from cracauer@schlepper.zs64.net) Received: from schlepper.zs64.net (schlepper [212.12.50.230]) by schlepper.zs64.net (8.13.3/8.12.9) with ESMTP id jBUDlaGb029084; Fri, 30 Dec 2005 14:47:36 +0100 (CET) (envelope-from cracauer@schlepper.zs64.net) Received: (from cracauer@localhost) by schlepper.zs64.net (8.13.3/8.12.9/Submit) id jBUDlZkT029083; Fri, 30 Dec 2005 08:47:35 -0500 (EST) (envelope-from cracauer) Date: Fri, 30 Dec 2005 08:47:35 -0500 From: Martin Cracauer To: Barney Wolff Message-ID: <20051230084735.A28421@cons.org> References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <20051229220403.A16743@cons.org> <20051230053906.GA75942@pit.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20051230053906.GA75942@pit.databus.com>; from barney@databus.com on Fri, Dec 30, 2005 at 12:39:06AM -0500 Cc: Martin Cracauer , freebsd-current@freebsd.org, Sean Bryant Subject: Re: fetch extension - use local filename from content-disposition header X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 13:47:43 -0000 I didn't want to randomize the list with a flood of mail, but I suppose any security discussion is good. Anyway, hopefully this will make it clear: > > The security implications are about the same as for the base > > functionality. Any filename in the current directory can be wiped out > > if you fetch or wget and a URL redirects to another URL which leads to > > a filename that matches. > > If fetch uses a redirected name as its local filename it is seriously > broken and must be fixed. The manpage does not mention it. OK, I just checked. It seems FreeBSD fetch does not do that, sorry. FreeBSD keeps the filename derived from the user-given URL, but wget does, it derives a new filename from the target of the relocation. Well, there's a reason why I want to use fetch, not wget. Anyway, since this option has to be given by the user on every invocation, and since there is no other way to get the desired functionality and since the behavior is non-suprisiving I'd still go forward. I am sure anybody who gets lots of customer bug reports in Mozilla attachments will be thankful. > > I will forbit "/" to appear in the suggested filename, though. > > Remember that the check must be made after any decoding of %xx et al. > But no check will save the gullible from creating .shosts in $HOME or > overwriting .profile . Let's say I forbit file name beginning with ".", too. That covers the obvious attack cases. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer/ FreeBSD - where you want to go, today. http://www.freebsd.org/