On Fri, Jan 12, 2001 at 02:31:56PM -0500, Dave Sill wrote:
> "David L. Nicol" <[EMAIL PROTECTED]> wrote:
>
> >that man page [dot-qmail] says:
> >
> >> WARNING: For security, qmail-local replaces any dots in ext with colons
> >> before checking .qmail-ext. For convenience, qmail-local converts any
> >> uppercase letters in ext to lowercase.
> >
> >
> >What exactly is the threat this is supposed to guard against? Is
> >it directory descending on vms, or access to the .. directory somehow?
>
> It's guarding against ascending via "..".
That's the assumption, but which Unixen legitimately traverses based
on a name like .qmail-../../../etc/passwd?
Most Unixen I've seen insist that the first component be a valid
directory.
Regards.
