Gertjan Klein wrote: >I don't know about this. %CSP.StreamServer takes either a FILE= >parameter that denotes a file somewhere in the CSP tree, or a stream >ID. If this stream ID makes access possible to files outside the CSP >tree, the security risk would be even bigger, as I presume a hacker >can easily generate such an ID for basically any file. (I haven't >tested this, though.)
Just did. The stream OID is expected to be encrypted (with %session.Key), so if this is done safely, there is no way an outside attacker, that doesn't know this key, can construct a valid OID. (This still leaves the files in the CSP directory open, though.) Gertjan. -- Gertjan Klein
