"Mark Delany" <[EMAIL PROTECTED]> writes:
> On Fri, Jan 12, 2001 at 02:31:56PM -0500, Dave Sill wrote:
> > "David L. Nicol" <[EMAIL PROTECTED]> wrote:
> > >that man page [dot-qmail] says:
> > >> WARNING: For security, qmail-local replaces any dots in ext with colons
> > >> before checking .qmail-ext. For convenience, qmail-local converts any
> > >> uppercase letters in ext to lowercase.
> > >
> > >What exactly is the threat this is supposed to guard against? Is
> > >it directory descending on vms, or access to the .. directory somehow?
> >
> > It's guarding against ascending via "..".
>
> That's the assumption, but which Unixen legitimately traverses based
> on a name like .qmail-../../../etc/passwd?
The dash field need not be "-". In particular, it can end in "/", so
that ".." in ext would work, if left unaltered.
paul
