Re: Retain orig. filename as suffix for tmp. filename

From: Pavel Roskin <proski gnu org>
To: Adam Byrtek / alpha <alpha debian org>
Cc: mc-devel gnome org
Subject: Re: Retain orig. filename as suffix for tmp. filename
Date: Mon, 10 Mar 2003 19:43:02 -0500 (EST)

Hello, Adam!

> I've applied your patch with minimal changes.  Thank you!

Actually, your patch has created a security hole, but not where I
expected.  extfs_cmd() doesn't quote the local filename.  It was OK
before.  But since the local name is now based on the entry name, it must
be quoted.

Try opening in the viewer a file inside a zip archive if that file
contains "&" in the filename.

touch "run&xterm"
zip exploit.zip "run&xterm"

Now look inside :-)

Fortunately, version 4.6.0 is not affected, or I would have to make an
emergency release.  If anybody is running CVS mc or a post-4.6.0 snapshot
and security is of any concern, upgrade to the current snapshot or CVS is
highly recommended.

-- 
Regards,
Pavel Roskin

Follow-Ups:
- Re: Retain orig. filename as suffix for tmp. filename
  - From: Adam Byrtek / alpha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]