Re: [Bug-wget] Filename to save to

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Filename to save to

From:	Mike Frysinger
Subject:	Re: [Bug-wget] Filename to save to
Date:	Thu, 5 Jan 2012 22:51:27 -0500
User-agent:	KMail/1.13.7 (Linux/3.1.0-atsc; KDE/4.6.5; x86_64; ; )

On Thursday 05 January 2012 22:17:47 Volker Kuhlmann wrote:
> Reading the CVE description gives me the impression that the security
> problem only exists if one was silly enough to allow overwriting
> existing files

not really.  there are plenty of files which often don't exist but get 
automatically sourced like ~/.bash_logout or ~/.profile.  or if people are 
mirroring a website with -nc.  there are plenty of ways that this is wrong.

> create/change ~/.wgetrc, allow creating files in places
> other than below the current directory or with ../ in the path, or dot
> files in the home directory. That shouldn't be difficult to test for.

arbitrary blacklisting causes more problems than it's worth

> There is no option --trust-server-names.

upgrade your wget then
-mike

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] Filename to save to, Volker Kuhlmann, 2012/01/05
- Re: [Bug-wget] Filename to save to, Mike Frysinger, 2012/01/05
  - Re: [Bug-wget] Filename to save to, Volker Kuhlmann, 2012/01/05
    - Re: [Bug-wget] Filename to save to, Mike Frysinger <=
  - Re: [Bug-wget] Filename to save to, Volker Kuhlmann, 2012/01/05
    - Re: [Bug-wget] Filename to save to, Mike Frysinger, 2012/01/05
    - Re: [Bug-wget] Filename to save to, Volker Kuhlmann, 2012/01/06

Prev by Date: Re: [Bug-wget] Filename to save to
Next by Date: Re: [Bug-wget] Filename to save to
Previous by thread: Re: [Bug-wget] Filename to save to
Next by thread: Re: [Bug-wget] Filename to save to
Index(es):
- Date
- Thread