Mauro Tortonesi <[EMAIL PROTECTED]> writes: >> * The local name is copied from the header verbatim without >> inspecting >> it for dangerous characters, such as "/" (on Windows also "\"). >> * There seems to be no code to check for uniqueness of file name. So >> far Wget's philosophy has been not to overwrite file names by >> default. If this is being changed, some people will be confused... >> and it leaves too much room for abuse. > > i was already aware of these problems.
If you were aware of so serious security issues, maybe it would have been a better idea to refrain from committing the code before fixing them. (But I'm not saying the code should be backed out now.) Some people are using Wget directly from Subversion, and they might be unpleasantly surprised. Also note that Content-Disposition is parsed by default, and that there's no way to turn it off. I'm not suggesting to change the default, just that, because it's the default, the implementation of this features requires all the more care and thought.