|
|
Am 17.02.2011 02:07, schrieb dickbalaska:
> clipka<ano### [at] anonymousorg> wrote:
>> Am 16.02.2011 20:51, schrieb Darren New:
>
>> From the code it is pretty obvious that the original intention is to
>> eliminate ".." from paths like "foo/bar/../fnord" by contracting it to
>> "foo/../fnord" - no security stuff intended there.
>
> What is the point of doing path contraction, if not for security purposes?
> Otherwise you are introducing code with no benefit. The OS is going to handle
> ..../ just fine for you already.
>
> Someone above said "../ at the start of the path". Don't forget that
> foo/../../../../etc/passwd is legal.
You may be right there - but I guess we agree that contracting
"foo/../../fnord" to "foo/fnord" is bogus, whatever reason there may be
to contract "foo/bar/../fnord" to "foo/fnord".
Post a reply to this message
|
|