Hrvoje Niksic wrote:
Mauro Tortonesi <[EMAIL PROTECTED]> writes:
* The local name is copied from the header verbatim without
inspecting
it for dangerous characters, such as "/" (on Windows also "\").
* There seems to be no code to check for uniqueness of file name. So
far Wget's philosophy has been not to overwrite file names by
default. If this is being changed, some people will be confused...
and it leaves too much room for abuse.
i was already aware of these problems.
If you were aware of so serious security issues, maybe it would have
been a better idea to refrain from committing the code before fixing
them.
of course, i was not aware of these issues at the moment of commiting
the code. only many days later i noticed the bug.
(But I'm not saying the code should be backed out now.) Some
people are using Wget directly from Subversion, and they might be
unpleasantly surprised.
you're right.
Also note that Content-Disposition is parsed by default, and that
there's no way to turn it off. I'm not suggesting to change the
default, just that, because it's the default, the implementation of
this features requires all the more care and thought.
i agree.
--
Aequam memento rebus in arduis servare mentem...
Mauro Tortonesi http://www.tortonesi.com
University of Ferrara - Dept. of Eng. http://www.ing.unife.it
GNU Wget - HTTP/FTP file retrieval tool http://www.gnu.org/software/wget
Deep Space 6 - IPv6 for Linux http://www.deepspace6.net
Ferrara Linux User Group http://www.ferrara.linux.it
