Re: Retain orig. filename as suffix for tmp. filename

From: Pavel Roskin <proski gnu org>
To: Adam Byrtek / alpha <alpha debian org>
Cc: mc-devel gnome org
Subject: Re: Retain orig. filename as suffix for tmp. filename
Date: Tue, 25 Feb 2003 10:38:33 -0500 (EST)

Hello!

> > Even worse, some programs could be exploited by giving them bogus
> > filenames as arguments.  I like your idea, but the security issue should
> > be addressed (actually, it exists already because the extension can have
> > bad stuff too).
>
> I'm curious how this is different from copying the file manually and then
> pressing F4? AFAIK the filename is not passed through the shell, so the
> only problem can be a severe bug in the editor, which still exists and
> can be exploited when one copies the file. Of course we limit it a bit,
> but it is still a security issue - in a editor, not mc.

I was thinking if mc would be leveraging a local vulnerability vs.  to a
remote vulnerability, which is worse.  But now I think that if the
attacker can trick me into viewing a file on VFS, he can also trick me
into downloading that file and opening it locally.  So the quoting is not
necessary.

I've applied your patch with minimal changes.  Thank you!

-- 
Regards,
Pavel Roskin

References:
- Retain orig. filename as suffix for tmp. filename
  - From: Adam Byrtek / alpha
- Re: Retain orig. filename as suffix for tmp. filename
  - From: Pavel Roskin
- Re: Retain orig. filename as suffix for tmp. filename
  - From: Adam Byrtek / alpha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]