Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Dec 2005 22:04:03 -0500
From:      Martin Cracauer <cracauer@cons.org>
To:        Pawel Worach <pawel.worach@gmail.com>
Cc:        Barney Wolff <barney@databus.com>, Martin Cracauer <cracauer@cons.org>, freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net>
Subject:   Re: fetch extension - use local filename from content-disposition header
Message-ID:  <20051229220403.A16743@cons.org>
In-Reply-To: <43B49B22.7040307@gmail.com>; from pawel.worach@gmail.com on Fri, Dec 30, 2005 at 03:27:46AM %2B0100
References:  <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Worach wrote on Fri, Dec 30, 2005 at 03:27:46AM +0100: 
> Sean Bryant wrote:
> > Barney Wolff wrote:
> > 
> >> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote:
> >>  
> >>
> >>> I'm a bit rusty, so please point me to style mistakes in the appended
> >>> diff.
> >>> The following diff implements a "-O" option to fetch(1), which, when
> >>> set, will make fetch use a local filename supplied by the server in a
> >>> Content-Disposition header.
> >>>   
> >>
> >> Have you considered the security implications of this option?
> >>
> >>  
> >>
> > Its just an extra option. I'm sure the details could be summed up in the 
> > man page.
> 
> I think what Barney means is that if you run fetch(1) as root and the 
> server returns the filename as "/sbin/init" bad things will happen.
> The data returned in Content-Disposition should be used with caution.

First, the option of off by default, only when you say "-O" it will be
considered. 

The security implications are about the same as for the base
functionality.  Any filename in the current directory can be wiped out
if you fetch or wget and a URL redirects to another URL which leads to
a filename that matches.  

The default behavior already *is* that the sending server has control
over your local naming.

I will forbit "/" to appear in the suggested filename, though.

Martin
-- 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@cons.org>   http://www.cons.org/cracauer/
FreeBSD - where you want to go, today.      http://www.freebsd.org/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051229220403.A16743>