fetch extension - use local filename from
content-dispositionheader
Andrey Chernov
ache at FreeBSD.ORG
Thu Dec 29 19:57:34 PST 2005
On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > Forbidding "/" will set the security to the same level as the base
> > functionality. I like that.
>
> Agreed, although it still leaves open all the security loopholes that were
> mentioned, given the proper cwd and malicious intent on the server end.
What about "../../../../../../../../../../../../sbin/init" ?
--
http://ache.pp.ru/
More information about the freebsd-current
mailing list