On Mon, Jan 18, 2010 at 08:15:56AM +0100, Pavel Machek wrote: > On Sat 2010-01-16 00:41:00, Oswald Buddenhagen wrote: > > On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote: > > > 1. create files named > > > efekt_skali__0.15%.png > > > efekt_skali__1.5%.png > > > > > > 2. log in remotely to that host using /#sh:u...@host > > > > > > 3. observe wrong file names: > > > efekt_skali__0.1593cf4fcng > > > efekt_skali__1.593cf4fcng > > > > > > pretty weird, huh? > > > > > it's not just weird, it is a potentially exploitable security hole. > > Well, /#sh is just a weird hack, and probably contains many similar > problems. > heh
> It should be documented that it is not safe to connect to untrusted > hosts. > that's too simplicistic. the host as such may be perfectly trusted. but an arbitrary user could place such file names in /tmp or some other location occasionally visited by other mc users. > (Plus it should be fixed, of course). > soon _______________________________________________ Mc-devel mailing list http://mail.gnome.org/mailman/listinfo/mc-devel