Re: fetch extension - use local filename from content-disposition header

From: Ádám Szilveszter <adamsz_at_mailpont.hu>
Date: Fri, 30 Dec 2005 09:44:46 +0100 (CET)
On Pén, December 30, 2005 6:39 am, Barney Wolff wrote:
> What does the security officer have to say about that, if true?

You know, there are much bigger problems than that. For example the fact,
that any vulnerability in fetch(1) or libfetch(3) is a remote root
compromise candidate on FreeBSD, because the Ports system still insists on
running it as root by default downloading distfiles from unchecked amd
potentially unsecure servers all over the Internet. This is the real
problem, imho. However, when I mentioned this on -security in a thread
(about trusting trust) all I got back was that it was difficult to make
sure that all ports build as normal user. Which of course does not explain
fetching as root at all, but hey.

Regards and Happy New Year,

Sz.

------------------------------------------------------------------------
Telcsi.hu - A legújabb csengőhangok menő slágerekkel >>>
Polifónikus és normál csengőhangok >>> Animált és normál háttérképek >>>
MP3 effektek >>> http://www.telcsi.hu/index.php?prefix=VM
Received on Fri Dec 30 2005 - 07:44:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:49 UTC