[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Filename to save to

From: Mike Frysinger
Subject: Re: [Bug-wget] Filename to save to
Date: Thu, 5 Jan 2012 22:51:27 -0500
User-agent: KMail/1.13.7 (Linux/3.1.0-atsc; KDE/4.6.5; x86_64; ; )

On Thursday 05 January 2012 22:17:47 Volker Kuhlmann wrote:
> Reading the CVE description gives me the impression that the security
> problem only exists if one was silly enough to allow overwriting
> existing files

not really.  there are plenty of files which often don't exist but get 
automatically sourced like ~/.bash_logout or ~/.profile.  or if people are 
mirroring a website with -nc.  there are plenty of ways that this is wrong.

> create/change ~/.wgetrc, allow creating files in places
> other than below the current directory or with ../ in the path, or dot
> files in the home directory. That shouldn't be difficult to test for.

arbitrary blacklisting causes more problems than it's worth

> There is no option --trust-server-names.

upgrade your wget then

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]