Re: /#sh:user@host file names with % bug

[Pavel Machek]

On Sat 2010-01-16 00:41:00, Oswald Buddenhagen wrote:
 On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote:
  1. create files named 
   efekt_skali__0.15%.png
   efekt_skali__1.5%.png
  
  2. log in remotely to that host using /#sh:u...@host
  
  3. observe wrong file names:
efekt_skali__0.1593cf4fcng
efekt_skali__1.593cf4fcng
  
  pretty weird, huh?
  
 it's not just weird, it is a potentially exploitable security hole.

Well, /#sh is just a weird hack, and probably contains many similar
problems.

It should be documented that it is not safe to connect to untrusted
hosts.

(Plus it should be fixed, of course).

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) 
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
___
Mc-devel mailing list
http://mail.gnome.org/mailman/listinfo/mc-devel

Re: /#sh:user@host file names with % bug

[Oswald Buddenhagen]

On Fri, Jan 15, 2010 at 08:32:01PM +0100, Janek Kozicki wrote:
 1. create files named 
  efekt_skali__0.15%.png
  efekt_skali__1.5%.png
 
 2. log in remotely to that host using /#sh:u...@host
 
 3. observe wrong file names:
   efekt_skali__0.1593cf4fcng
   efekt_skali__1.593cf4fcng
 
 pretty weird, huh?
 
it's not just weird, it is a potentially exploitable security hole.
___
Mc-devel mailing list
http://mail.gnome.org/mailman/listinfo/mc-devel