From owner-freebsd-current@FreeBSD.ORG  Fri Dec 30 02:28:06 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9833616A41F
	for <freebsd-current@freebsd.org>; Fri, 30 Dec 2005 02:28:06 +0000 (GMT)
	(envelope-from pawel.worach@gmail.com)
Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.202])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F57643D45
	for <freebsd-current@freebsd.org>; Fri, 30 Dec 2005 02:28:05 +0000 (GMT)
	(envelope-from pawel.worach@gmail.com)
Received: by xproxy.gmail.com with SMTP id t4so1185001wxc
	for <freebsd-current@freebsd.org>; Thu, 29 Dec 2005 18:28:05 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding;
	b=E8wqwBKV6BPMJF1FDzLc1+e7pLqChdnGhEg3R1ja6veeJAGp+jjEnVqextrv0lBDYNu5QmNrn9+G2RU+b4kEwgHHsOeu94S4K4d5TBX5n/Wl3f0CZwn+FOUI/M/oTbpuIgXZ04rgGSNZ9M2IcFMHElJNxvh+ZY4lDO7Hpv2IdJ0=
Received: by 10.70.8.4 with SMTP id 4mr8442290wxh;
	Thu, 29 Dec 2005 18:28:05 -0800 (PST)
Received: from ?192.168.0.107? ( [80.217.193.226])
	by mx.gmail.com with ESMTP id i11sm2534083wxd.2005.12.29.18.27.56;
	Thu, 29 Dec 2005 18:28:05 -0800 (PST)
Message-ID: <43B49B22.7040307@gmail.com>
Date: Fri, 30 Dec 2005 03:27:46 +0100
From: Pawel Worach <pawel.worach@gmail.com>
User-Agent: Thunderbird 1.5 (X11/20051223)
MIME-Version: 1.0
To: Sean Bryant <sean@cyberwang.net>
References: <20051229193328.A13367@cons.org>	<20051230021602.GA9026@pit.databus.com>
	<43B498DF.4050204@cyberwang.net>
In-Reply-To: <43B498DF.4050204@cyberwang.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Barney Wolff <barney@databus.com>, Martin Cracauer <cracauer@cons.org>,
	freebsd-current@freebsd.org
Subject: Re: fetch extension - use local filename from content-disposition
 header
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2005 02:28:06 -0000

Sean Bryant wrote:
> Barney Wolff wrote:
> 
>> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote:
>>  
>>
>>> I'm a bit rusty, so please point me to style mistakes in the appended
>>> diff.
>>> The following diff implements a "-O" option to fetch(1), which, when
>>> set, will make fetch use a local filename supplied by the server in a
>>> Content-Disposition header.
>>>   
>>
>> Have you considered the security implications of this option?
>>
>>  
>>
> Its just an extra option. I'm sure the details could be summed up in the 
> man page.

I think what Barney means is that if you run fetch(1) as root and the 
server returns the filename as "/sbin/init" bad things will happen.
The data returned in Content-Disposition should be used with caution.

-- 
Pawel