[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netatalk-devel
Subject:    [Netatalk-devel] netatalk SECURITY ALERT - now fixed
From:       Marc Miller <itlm019 () mailbox ! ucdavis ! edu>
Date:       2000-10-06 20:40:47
[Download RAW message or body]

Okay; I checked my machine for the beforementioned security problem.  The
chown is executed as a system call and not as an execl, so it'll probably
be fine on all platforms.

BAD NEWS:
But as part of my check, I noticed that if the file name includes a
character such as / it will convert it to its hexidecimal equivalent when
it saves it to the netatalk volume.  That's great except that when it
tries to access the file again to chown it, it doesn't pick up that
character translation.  It also means that if I were to make a file called
/etc/passwd that it would write :2fetc:2fpasswd in the correct folder and
change the owner of /etc/passwd.  We don't want that.

GOOD NEWS:
I fixed it by calling mtoupath().  The fix to file.c should be posted
later today.

============================================================
	/\/\arc ._|. /\/\iller (itlm019@mailbox.ucdavis.edu)
	Computer Room Consultant
	Information Technology/Lab Management
============================================================
I can be contacted through the Communication Center link from
http://www.mother.com/~mjmiller/

[prev in list] [next in list] [prev in thread] [next in thread]