Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Did SuSE hack mirror?
  • From: Simon Oliver <simon.oliver@xxxxxxxxxxx>
  • Date: Tue, 04 Dec 2001 14:45:33 +0000
  • Message-id: <3C0CE18D.794BF3C0@xxxxxxxxxxx>
I was having problems downloading files with ! and .. characters in the
filename.

I can see the potential security hazard where the resultant path might
point to a different directory than intended but that would require the
'..' to start the filepath or follow a '/' - the regexp below is not
that specific. Am I missing something here or was this a lazy hack?

Also, what is the potential security problem with files containing an
exclamation mark? This question is not rhetorical - I honestly don't
know!

Finally, can't this be done in the mirror.defaults file so that it can
be overridden on a package by package basis?

Why isn't it documented in /usr/share/doc/packages/mirror? It took me
quite a while to track this down!

# important security check - marc@xxxxxxx
# we don't use an allow list but an deny list because
otherwise
# we will get problems with umlaute and other stuff. And
the
# hole is very small anyway.
if ( $src_path =~ m/[\\\n;&<>#\`!\$\*\|]/ || $src_path
=~ m/\.\.
/) {
print STDERR "Error: source filename contains
illegal ch
aracters: \"$src_path\"\n";
next;
}

--
Simon Oliver

< Previous Next >
Follow Ups