- Peter van Dijk <[EMAIL PROTECTED]>:
| On Sun, Jan 31, 1999 at 06:51:36PM -0000, Russell Nelson wrote:
| >
| > It's a security measure, to keep people from sending mail to
| > user-../../etc/passwd (e.g.). Qmail-local used to replace slashes
| > with colons, until it was seen that slashes were useful to allow
| > subdirectories, so now the dots are replaced with colons.
|
| I understand the security part (feeling stupid today after
| reconfigging one win95 machine just over 15 times. I never knew that
| I could actually feel stress...).
|
| But where would you use directories in that? Creating .qmail-bla/duh
| and mailing to peter-bla/duh doesn't really do the job.
No, but at the time Russell is talking about, dots were *not*
replaced. There are only three reasonable ways to foil the /../
attack, and those are (1) replace slashes by something else, (2)
replace dots by something else, and (3) recognize the substring /../
and either replace it by something else or bounce the mail.
Personally, I think I would prefer (3) because it confuses users less,
but OTOH (1) and (2) are simpler to implement, whick makes it less
likely for a security bug to creep in.
| Hmm.. too little caffeine here.
I hope you know the remedy for that.
- Harald
