[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Filename to save to
From: |
Mike Frysinger |
Subject: |
Re: [Bug-wget] Filename to save to |
Date: |
Thu, 5 Jan 2012 22:51:27 -0500 |
User-agent: |
KMail/1.13.7 (Linux/3.1.0-atsc; KDE/4.6.5; x86_64; ; ) |
On Thursday 05 January 2012 22:17:47 Volker Kuhlmann wrote:
> Reading the CVE description gives me the impression that the security
> problem only exists if one was silly enough to allow overwriting
> existing files
not really. there are plenty of files which often don't exist but get
automatically sourced like ~/.bash_logout or ~/.profile. or if people are
mirroring a website with -nc. there are plenty of ways that this is wrong.
> create/change ~/.wgetrc, allow creating files in places
> other than below the current directory or with ../ in the path, or dot
> files in the home directory. That shouldn't be difficult to test for.
arbitrary blacklisting causes more problems than it's worth
> There is no option --trust-server-names.
upgrade your wget then
-mike
signature.asc
Description: This is a digitally signed message part.