Hello, Adam! > I've applied your patch with minimal changes. Thank you!
Actually, your patch has created a security hole, but not where I expected. extfs_cmd() doesn't quote the local filename. It was OK before. But since the local name is now based on the entry name, it must be quoted. Try opening in the viewer a file inside a zip archive if that file contains "&" in the filename. touch "run&xterm" zip exploit.zip "run&xterm" Now look inside :-) Fortunately, version 4.6.0 is not affected, or I would have to make an emergency release. If anybody is running CVS mc or a post-4.6.0 snapshot and security is of any concern, upgrade to the current snapshot or CVS is highly recommended. -- Regards, Pavel Roskin _______________________________________________ Mc-devel mailing list [EMAIL PROTECTED] http://mail.gnome.org/mailman/listinfo/mc-devel
