fetch extension - use local filename from content-dispositionheader (new diff)

Colin Percival cperciva at freebsd.org
Sat Dec 31 03:44:07 PST 2005

Martin Cracauer wrote:
> The security implications are easy to understand and very well in line
> with other Unix features.  Unpacking an tar or zip file has a lot more
> potential to do damage than this (because the unpacking can also
> contains permissions, you can put a *.cgi with a+x just for starters).
> How come nobody demands that the 3 files that come out of "foo.tar"
> are named foo.1, foo.2 and foo.3 instead of bar.c, bar.h and Makefile?

The situation isn't quite identical (if you unpack a tarball, you should
get the same result every time, while a malicious server could be used
for an adaptive attack), but your point is still quite reasonable.

I withdraw my objection to this feature, as long as the manual page
contains appropriate warnings about not using this flag if there are
any files in the current working directory which you don't want to
have overwritten.

Colin Percival

More information about the freebsd-current mailing list