Re: [Bug-wget] [PATCH] Support metalink:file elements with a "path/file" format

[Tim Rühsen]

On Freitag, 12. August 2016 22:13:53 CEST Matthew White wrote:
> On Wed, 10 Aug 2016 11:30:12 +0200
> 
> After debugging wget and libmetalink, I can confirm that, due to how
> metalink/libmetalink is conceived (see references), metalink:file names
> posing a security issue are discarded directly by libmetalink, and so they
> will never get to the wget's metalink module.
> 
> e.g. '../File' and '/File1' cannot be written as 'File1' by wget, because
> the whole metalink:file name is discarded by libmetalink.

Good finding.

But don't rely on it.
And gracefully handle 'discarded' file names.

Regards, Tim

signature.asc
Description: This is a digitally signed message part.