*security?* Re: Trash spec 0.2, technical questions

Dave Cridland dave at cridland.net
Tue Aug 31 15:02:39 EEST 2004


On Tue Aug 31 07:58:06 2004, Alexander Larsson wrote:
> On Tue, 2004-08-31 at 06:20, Jerry Haltom wrote:
> > The spec currently says the "info" file may have a absolute 
> character for
> > the original path name. I would say this is BAD.
> > > First off, different systems may have the same remote file 
> system mounted
> > at different places... even the same user might. Such as 
> accessing his
> > files from home.
> > 

Fair argument. Sounds like a SHOULD to me, based on Alexander's 
argument that it can't be used at all times.


> > ** security thing **
> > Additionally, it places extra burden on the undelete command to 
> verify
> > that the absolute path is within the original file system, so 
> that it does
> > not undelete malicious info entries into the wrong location.
> 
> How would you verify that?
> 
> 
Well, assuming you're renaming (link followed by unlink) to trash, 
then you can rename back again. If you can't, there's a problem.

This holds true no matter what filenames are present in the info 
file, of course.

It occurs to me that if someone is subverting your media in general, 
then:

1) You have serious problems anyway.
2) Relative path restrictions offer little in the way of protection.

Dave.



More information about the xdg mailing list