| Thomas Dickey 2006-11-30, 1:17 pm |
| On Thu, Nov 30, 2006 at 02:15:42PM +0100, Andreas Barth wrote:
> * Thomas Dickey (dickey@radix.net) [061130 14:12]:
>
> So, what do you think would be the appropriate behaviour? I don't mind
> changing the behaviour to something which sounds sensible for you too,
> but - taking the files from the cwd opens up a can of issues.
yes - I agreed with that, but also pointed out that there wasn't a check
to ensure that the file is not world-writable, etc. That's something
that the various shell programs do for example - iirc csh won't use
.cshrc if you don't own it (for at least some systems ;-).
It would be nice to ensure that the global mailcap/mime.types files also
are secure, but that's harder to do (portably) since you can't assume
much about the ownership of the file. But I did at least ensure that
those are absolute pathnames.
>
> I'm sorry, but I didn't see any comments from you on this bug report -
> though perhaps I didn't look deep enough.
It was moved from another number, where I pointed out that most of the
given examples were still true for the user's home directory. However,
my remark about ignored comments applies to last couple of years.
Anyway, compare with the patch I made a couple of weeks ago.
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
|