Re: Retain orig. filename as suffix for tmp. filename
- From: Pavel Roskin <proski gnu org>
- To: Adam Byrtek / alpha <alpha debian org>
- Cc: mc-devel gnome org
- Subject: Re: Retain orig. filename as suffix for tmp. filename
- Date: Tue, 25 Feb 2003 10:38:33 -0500 (EST)
> > Even worse, some programs could be exploited by giving them bogus
> > filenames as arguments. I like your idea, but the security issue should
> > be addressed (actually, it exists already because the extension can have
> > bad stuff too).
> I'm curious how this is different from copying the file manually and then
> pressing F4? AFAIK the filename is not passed through the shell, so the
> only problem can be a severe bug in the editor, which still exists and
> can be exploited when one copies the file. Of course we limit it a bit,
> but it is still a security issue - in a editor, not mc.
I was thinking if mc would be leveraging a local vulnerability vs. to a
remote vulnerability, which is worse. But now I think that if the
attacker can trick me into viewing a file on VFS, he can also trick me
into downloading that file and opening it locally. So the quoting is not
I've applied your patch with minimal changes. Thank you!
] [Thread Prev