URL:
  <http://gna.org/patch/?2827>

                 Summary: Client runs server script from current directory in
debug build only
                 Project: Freeciv
            Submitted by: cazfi
            Submitted on: Sun 24 Jul 2011 10:19:44 AM EEST
                Category: client
                Priority: 5 - Normal
                  Status: Ready For Test
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 2.2.8, 2.3.0, 2.4.0

    _______________________________________________________

Details:

When launching server, client *prefers* running it as "./ser" That can be
considered security issue in release builds. Attacker just has to trick user
to run client in a (world writable) directory where he has placed his own
ser-program.

OTOH running ./ser is definitely useful feature during development so that
client finds server directly from build directory.

Attached patch makes client to search server from relative paths only in
debug builds.

Yes, as this is security issue, I've set 2.3.0 (and not 2.3.1) among targets
even though we already have RC for 2.3.0.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sun 24 Jul 2011 10:19:44 AM EEST  Name: SrvPathSecurity.diff  Size:
824B   By: cazfi

<http://gna.org/patch/download.php?file_id=13649>

    _______________________________________________________

Reply to this item at:

  <http://gna.org/patch/?2827>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to