*security?* Re: Trash spec 0.2, technical questions
Dave Cridland
dave at cridland.net
Tue Aug 31 15:02:39 EEST 2004
On Tue Aug 31 07:58:06 2004, Alexander Larsson wrote:
> On Tue, 2004-08-31 at 06:20, Jerry Haltom wrote:
> > The spec currently says the "info" file may have a absolute
> character for
> > the original path name. I would say this is BAD.
> > > First off, different systems may have the same remote file
> system mounted
> > at different places... even the same user might. Such as
> accessing his
> > files from home.
> >
Fair argument. Sounds like a SHOULD to me, based on Alexander's
argument that it can't be used at all times.
> > ** security thing **
> > Additionally, it places extra burden on the undelete command to
> verify
> > that the absolute path is within the original file system, so
> that it does
> > not undelete malicious info entries into the wrong location.
>
> How would you verify that?
>
>
Well, assuming you're renaming (link followed by unlink) to trash,
then you can rename back again. If you can't, there's a problem.
This holds true no matter what filenames are present in the info
file, of course.
It occurs to me that if someone is subverting your media in general,
then:
1) You have serious problems anyway.
2) Relative path restrictions offer little in the way of protection.
Dave.
More information about the xdg
mailing list