Update of bug #23872 (project freeciv):
Category: None => general
Status: None => In Progress
Planned Release: => 2.5.2, 2.6.0, 3.0.0
_______________________________________________________
Follow-up Comment #1:
Fix in consideration attached - probable won't commit this.
It was not just that filename was searched with the extensions before plain
name. There was no search for the plain name at all for players with limited
rights. Such files have ever been found only because for authorized user, as a
fallback, original filename gets passed to secfile loading which then finds
it.
This stays within the logic that directories are iterated in the outer loop
and extansions in the inner one. That means that file with any suitable
extension from earlier directory gets loaded instead of plainly named file in
later directory.
It's possible to load "xxx.sav" without the patch. One just have to give the
name as "xxx" so it will be found with extension ".sav" (and not as "xxx.sav"
+ ".bz2"). Having it current way gives security in that less-authorizes users
can load only files with some of the legal extensions, not just any
configuration file, potentially getting information about file's contents on
error messages when loading fails.
(file #25139)
_______________________________________________________
Additional Item Attachment:
File name: FindExactFilename.patch Size:1 KB
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?23872>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev
