fetch extension - use local filename from
content-dispositionheader
John-Mark Gurney
gurney_j at resnet.uoregon.edu
Thu Dec 29 20:28:34 PST 2005
Andrey A. Chernov wrote this message on Fri, Dec 30, 2005 at 06:57 +0300:
> On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > > Forbidding "/" will set the security to the same level as the base
> > > functionality. I like that.
> >
> > Agreed, although it still leaves open all the security loopholes that were
> > mentioned, given the proper cwd and malicious intent on the server end.
>
> What about "../../../../../../../../../../../../sbin/init" ?
last I checked there was a / or two in that filename... :) and hence
invalid...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-current
mailing list