Date: Fri, 30 Dec 2005 06:57:24 +0300 From: Andrey Chernov <ache@FreeBSD.ORG> To: Matt Emmerton <matt@gsicomp.on.ca> Cc: Barney Wolff <barney@databus.com>, Martin Cracauer <cracauer@cons.org>, freebsd-current@FreeBSD.ORG, Sean Bryant <sean@cyberwang.net> Subject: Re: fetch extension - use local filename from content-dispositionheader Message-ID: <20051230035724.GA52167@nagual.pp.ru> In-Reply-To: <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> References: <20051229221459.A17102@cons.org> <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote: > > Forbidding "/" will set the security to the same level as the base > > functionality. I like that. > > Agreed, although it still leaves open all the security loopholes that were > mentioned, given the proper cwd and malicious intent on the server end. What about "../../../../../../../../../../../../sbin/init" ? -- http://ache.pp.ru/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051230035724.GA52167>