Date: Fri, 30 Dec 2005 08:47:35 -0500 From: Martin Cracauer <cracauer@cons.org> To: Barney Wolff <barney@databus.com> Cc: Martin Cracauer <cracauer@cons.org>, freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net> Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <20051230084735.A28421@cons.org> In-Reply-To: <20051230053906.GA75942@pit.databus.com>; from barney@databus.com on Fri, Dec 30, 2005 at 12:39:06AM -0500 References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <20051229220403.A16743@cons.org> <20051230053906.GA75942@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I didn't want to randomize the list with a flood of mail, but I suppose any security discussion is good. Anyway, hopefully this will make it clear: > > The security implications are about the same as for the base > > functionality. Any filename in the current directory can be wiped out > > if you fetch or wget and a URL redirects to another URL which leads to > > a filename that matches. > > If fetch uses a redirected name as its local filename it is seriously > broken and must be fixed. The manpage does not mention it. OK, I just checked. It seems FreeBSD fetch does not do that, sorry. FreeBSD keeps the filename derived from the user-given URL, but wget does, it derives a new filename from the target of the relocation. Well, there's a reason why I want to use fetch, not wget. Anyway, since this option has to be given by the user on every invocation, and since there is no other way to get the desired functionality and since the behavior is non-suprisiving I'd still go forward. I am sure anybody who gets lots of customer bug reports in Mozilla attachments will be thankful. > > I will forbit "/" to appear in the suggested filename, though. > > Remember that the check must be made after any decoding of %xx et al. > But no check will save the gullible from creating .shosts in $HOME or > overwriting .profile . Let's say I forbit file name beginning with ".", too. That covers the obvious attack cases. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer <cracauer@cons.org> http://www.cons.org/cracauer/ FreeBSD - where you want to go, today. http://www.freebsd.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230084735.A28421>