URL:
http://gna.org/patch/?2827
Summary: Client runs server script from current directory in
debug build only
Project: Freeciv
Submitted by: cazfi
Submitted on: Sun 24 Jul 2011 10:19:44 AM EEST
Category: client
Priority: 5 - Normal
Status: Ready For Test
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Planned Release: 2.2.8, 2.3.0, 2.4.0
___
Details:
When launching server, client *prefers* running it as ./ser That can be
considered security issue in release builds. Attacker just has to trick user
to run client in a (world writable) directory where he has placed his own
ser-program.
OTOH running ./ser is definitely useful feature during development so that
client finds server directly from build directory.
Attached patch makes client to search server from relative paths only in
debug builds.
Yes, as this is security issue, I've set 2.3.0 (and not 2.3.1) among targets
even though we already have RC for 2.3.0.
___
File Attachments:
---
Date: Sun 24 Jul 2011 10:19:44 AM EEST Name: SrvPathSecurity.diff Size:
824B By: cazfi
http://gna.org/patch/download.php?file_id=13649
___
Reply to this item at:
http://gna.org/patch/?2827
___
Message sent via/by Gna!
http://gna.org/
___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
