Re: fetch extension - use local filename from content-dispositionheader

Andrey Chernov wrote on Fri, Dec 30, 2005 at 06:57:24AM +0300:
> On Thu, Dec 29, 2005 at 10:33:48PM -0500, Matt Emmerton wrote:
> > > Forbidding "/" will set the security to the same level as the base
> > > functionality. I like that.
> >
> > Agreed, although it still leaves open all the security loopholes that were
> > mentioned, given the proper cwd and malicious intent on the server end.
>
> What about "../../../../../../../../../../../../sbin/init" ?

Of course I meant I will not allow *any* "/" in the filename.

Might have been lost in the translation.

Martin
--
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Martin Cracauer <cracauer@xxxxxxxx> http://www.cons.org/cracauer/
FreeBSD - where you want to go, today. http://www.freebsd.org/
_______________________________________________
freebsd-current@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"

Relevant Pages