Re: fetch extension - use local filename from content-disposition header

---

• From: Barney Wolff <barney@xxxxxxxxxxx>
• Date: Fri, 30 Dec 2005 00:39:06 -0500

---

On Thu, Dec 29, 2005 at 10:04:03PM -0500, Martin Cracauer wrote:
>
> The security implications are about the same as for the base
> functionality. Any filename in the current directory can be wiped out
> if you fetch or wget and a URL redirects to another URL which leads to
> a filename that matches.

If fetch uses a redirected name as its local filename it is seriously
broken and must be fixed. The manpage does not mention it.

> The default behavior already *is* that the sending server has control
> over your local naming.

What does the security officer have to say about that, if true?

> I will forbit "/" to appear in the suggested filename, though.

Remember that the check must be made after any decoding of %xx et al.
But no check will save the gullible from creating .shosts in $HOME or
overwriting .profile .
That's why I believe the whole thing is a bad idea.

--
Barney Wolff http://www.databus.com/bwresume.pdf
I never met a computer I didn't like.
_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: fetch extension - use local filename from content-disposition header
    • From: Martin Cracauer
  • Re: fetch extension - use local filename from content-disposition header
    • From: Ádám Szilveszter

• References:
  • fetch extension - use local filename from content-disposition header
    • From: Martin Cracauer
  • Re: fetch extension - use local filename from content-disposition header
    • From: Barney Wolff
  • Re: fetch extension - use local filename from content-disposition header
    • From: Sean Bryant
  • Re: fetch extension - use local filename from content-disposition header
    • From: Pawel Worach
  • Re: fetch extension - use local filename from content-disposition header
    • From: Martin Cracauer

• Prev by Date: Re: fetch extension - use local filename from content-dispositionheader
• Next by Date: Cleanup for config(8)
• Previous by thread: Re: fetch extension - use local filename from content-disposition header
• Next by thread: Re: fetch extension - use local filename from content-disposition header
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: fetch extension - use local filename from content-disposition header ... >> Barney Wolff wrote: ... The security implications are about the same as for the base ... Any filename in the current directory can be wiped out ... if you fetch or wget and a URL redirects to another URL which leads to ... (freebsd-current) Re: fetch extension - use local filename from content-disposition header ... Any filename in the current directory can be wiped ... > out if you fetch or wget and a URL redirects to another URL which ... No. Fetch uses the original filename as specified on the command ... (freebsd-current) Re: fetch extension - use local filename from content-disposition header ... server by users and there handled as "attachments". ... The URL filename ... as a local filename. ... Same if you use the new fetch ... (freebsd-current) Re: LWP - multipart/form-data file upload from scalar rather than local file ... Where $PARAM is the name of the parameter, $FILENAME is what you want ... and $CONTENTS is a scalar holding the contents of the ... >> give it a local filename. ... but accept a filehandle as the first argument rather than ... (comp.lang.perl.modules)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > current  > 2005-12