Le mercredi 07 décembre 2005 à 17:36 +0100, Moritz Naumann a écrit : > My guess is that file-roller incorrectly passes the password to the zip > utility, using something like > $ zip -P mypassword my.zip file1 file2 > > While this could be considered a security issue by itself (using the -e > option to pass the password to the (un)zip application is highly > recommended), the password may not be correctly escaped when being passed. > > Obviously, passing a password value of 'foo$bah' using something like > $ zip -P foo$bah my.zip file1 file2 > will not work.
You are right. The password is improperly escaped when passed to the "zip" command. That part of the code is absolutely horrible, it must be rewritten for obvious security reasons. Regards, -- .''`. Josselin Mouette /\./\ : :' : [EMAIL PROTECTED] `. `' [EMAIL PROTECTED] `- Debian GNU/Linux -- The power of freedom
