Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Did SuSE hack mirror?
  • From: Simon Oliver <simon.oliver@xxxxxxxxxxx>
  • Date: Wed, 05 Dec 2001 11:25:30 +0000
  • Message-id: <3C0E042A.C338791A@xxxxxxxxxxx>
Roman Drahtmueller wrote:
> Well, now that you have found out how the files get denied, no further
> explanation should be necessary to it. The reason is very simple: These
> characters are shell meta characters and can bring about security problems
> in shell scripts that walk through a mirrored tree.

Patient: I've got a sore finger doctor.
Doctor: I'll amputate your arm.

> When I saw these changes two years ago, I was not very content with them
> either (the security problems are in the shell scripts, not in the mirror
> package, so it was the wrong place to fix). But over the time, it proved
> to be quite reasonable, and I reduced my diligence to fixing the obviously
> wrog "unallowed" to "illegal", see the changelog of the package.
It all depeneds what you want to use mirror for I suppose. If the
problem is not with mirror then it shouldn't be fixed there - and at the
least there should be an override or a more strenuous test - again
wouldn't mirror.defaults be a better place for this: exclude_patt?

The /\.\./ match picks up any .. but that is not necessary (unless I am
mistaken, which is quite probable :-). This could easily be fixed with
a tighter expression such as m{(^\.\.)|(/\.\.)}.

> see the changelog of the package.
Where would that be? I looked in '/usr/share/doc/packages/mirror' and
could only find 'CHANGES-since-2.8.txt' and this doesn't mention this
hack. I'm obviously looking in the wrong place.

--
Simon Oiver

< Previous Next >
Follow Ups
References