Summary: Client runs server script from current directory in
debug build only
                 Project: Freeciv
            Submitted by: cazfi
            Submitted on: Sun 24 Jul 2011 10:19:44 AM EEST
                Category: client
                Priority: 5 - Normal
                  Status: Ready For Test
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 2.2.8, 2.3.0, 2.4.0



When launching server, client *prefers* running it as "./ser" That can be
considered security issue in release builds. Attacker just has to trick user
to run client in a (world writable) directory where he has placed his own

OTOH running ./ser is definitely useful feature during development so that
client finds server directly from build directory.

Attached patch makes client to search server from relative paths only in
debug builds.

Yes, as this is security issue, I've set 2.3.0 (and not 2.3.1) among targets
even though we already have RC for 2.3.0.


File Attachments:

Date: Sun 24 Jul 2011 10:19:44 AM EEST  Name: SrvPathSecurity.diff  Size:
824B   By: cazfi



Reply to this item at:


  Message sent via/by Gna!

Freeciv-dev mailing list

Reply via email to