I was having problems downloading files with ! and .. characters in the filename.
I can see the potential security hazard where the resultant path might point to a different directory than intended but that would require the '..' to start the filepath or follow a '/' - the regexp below is not that specific. Am I missing something here or was this a lazy hack?
Also, what is the potential security problem with files containing an exclamation mark? This question is not rhetorical - I honestly don't know!
Finally, can't this be done in the mirror.defaults file so that it can be overridden on a package by package basis?
Why isn't it documented in /usr/share/doc/packages/mirror? It took me quite a while to track this down!
Well, now that you have found out how the files get denied, no further explanation should be necessary to it. The reason is very simple: These characters are shell meta characters and can bring about security problems in shell scripts that walk through a mirrored tree. When I saw these changes two years ago, I was not very content with them either (the security problems are in the shell scripts, not in the mirror package, so it was the wrong place to fix). But over the time, it proved to be quite reasonable, and I reduced my diligence to fixing the obviously wrog "unallowed" to "illegal", see the changelog of the package.
# important security check - marc@suse.de # we don't use an allow list but an deny list because otherwise # we will get problems with umlaute and other stuff. And the # hole is very small anyway. if ( $src_path =~ m/[\\\n;&<>#\`!\$\*\|]/ || $src_path =~ m/\.\. /) { print STDERR "Error: source filename contains illegal ch aracters: \"$src_path\"\n"; next; }
-- Simon Oliver
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Roman.
--
- -
| Roman Drahtmüller