On Mon, Feb 01, 1999 at 10:33:42AM +0100, Harald Hanche-Olsen wrote:
> - Peter van Dijk <[EMAIL PROTECTED]>:
>
> | On Sun, Jan 31, 1999 at 06:51:36PM -0000, Russell Nelson wrote:
> | >
> | > It's a security measure, to keep people from sending mail to
> | > user-../../etc/passwd (e.g.). Qmail-local used to replace slashes
> | > with colons, until it was seen that slashes were useful to allow
> | > subdirectories, so now the dots are replaced with colons.
> |
> | I understand the security part (feeling stupid today after
> | reconfigging one win95 machine just over 15 times. I never knew that
> | I could actually feel stress...).
> |
> | But where would you use directories in that? Creating .qmail-bla/duh
> | and mailing to peter-bla/duh doesn't really do the job.
>
> No, but at the time Russell is talking about, dots were *not*
> replaced. There are only three reasonable ways to foil the /../
> attack, and those are (1) replace slashes by something else, (2)
> replace dots by something else, and (3) recognize the substring /../
> and either replace it by something else or bounce the mail.
> Personally, I think I would prefer (3) because it confuses users less,
> but OTOH (1) and (2) are simpler to implement, whick makes it less
> likely for a security bug to creep in.
All agreed, but I still don't understand Russell saying 'slashes were useful to allow
subdirectories'.
> | Hmm.. too little caffeine here.
>
> I hope you know the remedy for that.
Yep. 2, actually :)
Greetz, Peter.
--
.| Peter van Dijk
.| [EMAIL PROTECTED]
