[resent with group-reply, sorry] On 2019-01-25 10:36:42 +0000, Dominic Hargreaves wrote: > Also, I think it's worth trying to identify what the worst extent > of the issue is. Whilst I don't agree with some who say that this isn't > a security issue at all, I don't know of any real-world cases where > it would be exploitable for remote code execution.
Probably not directly, but if the user doesn't check the filenames, this can obviously occur. Those using "wget -r" should be very careful with this. I had a Perl script working on such a "wget -r" result. Fortunately it was just a Perl script that did all the work, and it was using the 3-arg open on the files, so that it wasn't vulnerable. There is a potential exploit if the user calls a vulnerable script on files obtained with "wget -r". > If someone would like to contradict me, please feel free to mail > off-list. Either way, the fact remains that if untrusted/unsanitised > input is being passed into your @ARGV, then something is already > wrong. I recall that a part of the issue is that this wasn't documented (in addition to being unintuitive). As pure filenames, they are already sanitized: a filename that ends with "|" is perfectly valid. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)