Date: Thu, 29 Dec 2005 22:33:48 -0500 From: "Matt Emmerton" <matt@gsicomp.on.ca> To: "Martin Cracauer" <cracauer@cons.org> Cc: Barney Wolff <barney@databus.com>, Martin Cracauer <cracauer@cons.org>, freebsd-current@freebsd.org, Sean Bryant <sean@cyberwang.net> Subject: Re: fetch extension - use local filename from content-dispositionheader Message-ID: <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> References: <20051229193328.A13367@cons.org><20051230021602.GA9026@pit.databus.com><43B498DF.4050204@cyberwang.net><43B49B22.7040307@gmail.com><023f01c60cee$668f60a0$1200a8c0@gsicomp.on.ca> <20051229221459.A17102@cons.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Matt Emmerton wrote on Thu, Dec 29, 2005 at 10:09:03PM -0500: > > > Sean Bryant wrote: > > > > Barney Wolff wrote: > > > > > > > >> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote: > > > >> > > > >> > > > >>> I'm a bit rusty, so please point me to style mistakes in the appended > > > >>> diff. > > > >>> The following diff implements a "-O" option to fetch(1), which, when > > > >>> set, will make fetch use a local filename supplied by the server in a > > > >>> Content-Disposition header. > > > >>> > > > >> > > > >> Have you considered the security implications of this option? > > > >> > > > >> > > > >> > > > > Its just an extra option. I'm sure the details could be summed up in the > > > > man page. > > > > > > I think what Barney means is that if you run fetch(1) as root and the > > > server returns the filename as "/sbin/init" bad things will happen. > > > The data returned in Content-Disposition should be used with caution. > > > > Would checking to see if the target file exists, and if so, abort the > > operation and display a warning be sufficient to address the security > > issues? Of course, we'd need some kind of "force" option to override this > > for the foot-shooting folks, and -f is already taken, but that could easily > > be documented as a "limitation" of this option. > > I don't like it since it derives too much from standard behavior which > is to use a local name derived from the URL, even if it exists. > > Also, not overwriting files doesn't cut it for security, you could > e.g. create a nonexisting .rhosts or .ssh/authorized_keys or play > similar games. > > Forbidding "/" will set the security to the same level as the base > functionality. I like that. Agreed, although it still leaves open all the security loopholes that were mentioned, given the proper cwd and malicious intent on the server end. -- Matt Emmerton
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?030d01c60cf1$db80a290$1200a8c0>