[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | Further Enhancement of --download-attr (#529)

From: Tim Rühsen
Subject: Re: wget2 | Further Enhancement of --download-attr (#529)
Date: Sat, 11 Jul 2020 21:16:19 +0000

Tim Rühsen commented:

@wtautz In the current implementation, the path is removed on purpose to not 
allow directory escaping which can be used by attackers (malicious 
servers/websites) to place or overwrite arbitrary files.

What you request is an *extremly* dangerous feature - you should do that only 
with sites you fully trust (e.g. your own site).

A possible solution would be to allow on optional argument, like in 
`--download-attr=noabspath` for using pathes (but remove leading / if there) 
and `--download-attr=abspath` to take the path as is (eventually with a leading 
/). `--download-attr=nopath` is the default then.

Currently, my time for FOSS programming is very limited. Hope I can catch up in 
a few weeks/months.

Reply to this email directly or view it on GitLab: 
You're receiving this email because of your account on gitlab.com.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]