Roland Mas wrote: > I'd like to upload a fixed package to sid and etch-security (sarge > is not affected). I'd welcome feedback on the patch
I only had a brief look at it, but I generally recommend to identify a set of allowed and known to be secure characters and only allow these instead of filtering potential malicious characters. So, if the value to be sanitised is a file name you could limit it to "/", a-z, A-Z and 0-9. If you want to filter the input as in your proposed patch please make sure to compare your list of harmful characters against the list from the Security Unix Programming HOWTO: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html > and instructions > on how to do the upload the proper way. In the meantime, I'll port > the patch to the current upstream SVN repository, and coordinate with > other upstream authors so it can get applied to all relevant branches. If you upload a fixed package to anonymous-security, please make sure it's build sourceful (with -sa), as gforge is new inside the stable-security suite. Do other distributions include GForge? If so, I can coordinate with other vendors through vendor-sec. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
