[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] New option "--no-list-a"
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] New option "--no-list-a" |
|
Date: |
Fri, 30 Aug 2013 12:12:30 +0200 |
|
User-agent: |
KMail/4.10.5 (Linux/3.10-2-amd64; KDE/4.10.5; x86_64; ; ) |
On Friday 30 August 2013 11:39:41 Daniel Stenberg wrote:
> On Fri, 30 Aug 2013, Tim Ruehsen wrote:
> > Could you enlighten me about where '-a' comes from ? RFC 959 is very clear
> > that a param after LIST is either a filename or a directory name.
>
> LIST -a basically works with the assumption that the server will detect that
> it looks like an option and run ls locally with that option. It is a flawed
> assumption and as you say not based on any FTP spec.
Uhhh, smells like vulnerabilities. The chances may be good to inject some
shell code. But maybe not today anymore... nobody could resist and meanwhile
all holes are fixed after the servers had been hacked :-)
Tim