fetch extension - use local filename from content-dispositionheader

John-Mark Gurney gurney_j at resnet.uoregon.edu
Thu Dec 29 20:28:34 PST 2005


Andrey A. Chernov wrote this message on Fri, Dec 30, 2005 at 06:57 +0300:
> On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > > Forbidding "/" will set the security to the same level as the base
> > > functionality.  I like that.
> > 
> > Agreed, although it still leaves open all the security loopholes that were
> > mentioned, given the proper cwd and malicious intent on the server end.
> 
> What about "../../../../../../../../../../../../sbin/init" ?

last I checked there was a / or two in that filename... :)  and hence
invalid...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the freebsd-current mailing list