bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Support metalink:file elements with a "path/file"


From: Tim Rühsen
Subject: Re: [Bug-wget] [PATCH] Support metalink:file elements with a "path/file" format
Date: Sat, 13 Aug 2016 11:57:46 +0200
User-agent: KMail/5.2.3 (Linux/4.6.0-1-amd64; KDE/5.23.0; x86_64; ; )

On Freitag, 12. August 2016 22:13:53 CEST Matthew White wrote:
> On Wed, 10 Aug 2016 11:30:12 +0200
> 
> After debugging wget and libmetalink, I can confirm that, due to how
> metalink/libmetalink is conceived (see references), metalink:file names
> posing a security issue are discarded directly by libmetalink, and so they
> will never get to the wget's metalink module.
> 
> e.g. '../File' and '/File1' cannot be written as 'File1' by wget, because
> the whole metalink:file name is discarded by libmetalink.

Good finding.

But don't rely on it.
And gracefully handle 'discarded' file names.

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]