Date: Fri, 30 Dec 2005 03:27:46 +0100 From: Pawel Worach <pawel.worach@gmail.com> To: Sean Bryant <sean@cyberwang.net> Cc: Barney Wolff <barney@databus.com>, Martin Cracauer <cracauer@cons.org>, freebsd-current@freebsd.org Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <43B49B22.7040307@gmail.com> In-Reply-To: <43B498DF.4050204@cyberwang.net> References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Sean Bryant wrote: > Barney Wolff wrote: > >> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote: >> >> >>> I'm a bit rusty, so please point me to style mistakes in the appended >>> diff. >>> The following diff implements a "-O" option to fetch(1), which, when >>> set, will make fetch use a local filename supplied by the server in a >>> Content-Disposition header. >>> >> >> Have you considered the security implications of this option? >> >> >> > Its just an extra option. I'm sure the details could be summed up in the > man page. I think what Barney means is that if you run fetch(1) as root and the server returns the filename as "/sbin/init" bad things will happen. The data returned in Content-Disposition should be used with caution. -- Pawel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B49B22.7040307>