> ([EMAIL PROTECTED]) spew-ed forth:
> > I've not been able to come up with any reasonable CGI that would be
> > creating a path that the user has any control over; why would one want
> > to do that?
> What about things like document/filesystem management tools? Or
> (re)configuration tools? Sayin
On 9 Jun 2001, at 9:18, Randal L. Schwartz wrote:
> Just another guy driving around a 7-year-old ugly second-hand SUV, and
> probably stuck with that for another year or two the way the finances
> are looking this year... ,
Luxury! In...
Never mind, we won't go there.
--
Karen J. Cravens ([E
On Sat, Jun 09, 2001 at 11:14:21AM -0500, Karen Cravens ([EMAIL PROTECTED]) spew-ed
forth:
> On 9 Jun 2001, at 8:54, Randal L. Schwartz wrote:
>
>
> Well, I'm not sure, but I *have* seen a lot of sysadmins (and
> techies of various stripes) with buzzcuts or shaved heads. That
> help?
I am o
At 07:10 AM 6/9/01 -0700, Randal L. Schwartz wrote:
> > "Jeff" == Jeff Yoak <[EMAIL PROTECTED]> writes:
>
>Jeff> At 05:11 PM 6/8/01 -0500, Karen Cravens wrote:
> >> On 8 Jun 2001, at 14:33, Randal L. Schwartz wrote:
> >>
> >> > No, because newlines are the delimiters for sh's "read" operator.
> "Peter" == Peter Scott <[EMAIL PROTECTED]> writes:
>> We all make millions?
Peter> Speak for yourself :-)
oh, don't I wish. :) When I finally make enough money to afford a new
car, I think I'll be happy
Just another guy driving around a 7-year-old ugly second-hand SUV, and
probably s
On 9 Jun 2001, at 8:54, Randal L. Schwartz wrote:
> > "Peter" == Peter Scott <[EMAIL PROTECTED]> writes:
> Peter> Securing a system today is like being Sigourney Weaver in
> Peter> "Alien"...
>
> In what way?
...
> Can you expand a bit on that? I lost the metaphor.
Well, I'm not sure, but
Randal L. Schwartz [[EMAIL PROTECTED]] quoth:
*>> "Peter" == Peter Scott <[EMAIL PROTECTED]> writes:
*>
*>Peter> Securing a system today is like being Sigourney Weaver in
*>Peter> "Alien"...
*>
*>In what way?
You nuke the site from orbit, it's the only way to be sure.
e.
At 08:54 AM 6/9/2001 -0700, Randal L. Schwartz wrote:
> > "Peter" == Peter Scott <[EMAIL PROTECTED]> writes:
>
>Peter> Securing a system today is like being Sigourney Weaver in
>Peter> "Alien"...
>
>In what way?
>
>We all make millions?
Speak for yourself :-)
>We'll be used in many sequels,
> "Peter" == Peter Scott <[EMAIL PROTECTED]> writes:
Peter> Securing a system today is like being Sigourney Weaver in
Peter> "Alien"...
In what way?
We all make millions?
We'll be used in many sequels, even when it's technically bizarre?
We run around in our undies while fighting beasts?
I think the useful point that somehow got buried in the sand along with the
ostrich was that security is a running battle. You *must* take every
opportunity to plug everything that could conceivably be a security hole,
even if it depends upon some other layer of security being broken
first.
On 9 Jun 2001, at 11:17, Dave Newton wrote:
> I've not been able to come up with any reasonable CGI that would be
> creating a path that the user has any control over; why would one want
> to do that?
Drall, just as a for-instance. (http://freshmeat.net/projects/drall/)
Hmm. A really quick che
On Sat, Jun 09, 2001 at 10:31:11AM -0500, Karen Cravens ([EMAIL PROTECTED]) spew-ed
forth:
> On 9 Jun 2001, at 11:15, Kevin Meltzer wrote:
>
> > Well, depending on the application (CGI or otherwise) you sometimes need to. If
> > it is a path, or a file, it may need to be done (as well as putting
On 9 Jun 2001, at 11:15, Kevin Meltzer wrote:
> Well, depending on the application (CGI or otherwise) you sometimes need to. If
> it is a path, or a file, it may need to be done (as well as putting things into
> DB with chars that shouldn't be there). If someone allows for \w chars, then
> they w
On Sat, Jun 09, 2001 at 11:17:43AM -0400, Dave Newton ([EMAIL PROTECTED]) spew-ed
forth:
>
> I've not been able to come up with any reasonable CGI that would be
> creating a path that the user has any control over; why would one want
> to do that?
What about things like document/filesystem mana
> > So yes, I take newlines in paths seriously. You can't be an ostrich
> > about them burying your head in the sand. That's not secure, and you
> > will be hacked.
>
> Ostriches don't really bury their heads in the sand, you know...
S, that was supposed to be a secret.
I've not been able
On Sat, Jun 09, 2001 at 09:52:45AM -0500, Karen Cravens ([EMAIL PROTECTED]) spew-ed
forth:
> Or just plain don't create paths through CGI (or for any other trivial
> reason). That's me. Though it's something I'll keep in mind when I
> do have a need for path creation. (I'll probably be limit
On 9 Jun 2001, at 10:44, Kevin Meltzer wrote:
> If it is under the control of your CGI, and you use proper data laundering and
> checking on paths being created, you shouldn't have a security issue.
Or just plain don't create paths through CGI (or for any other trivial
reason). That's me. Th
On Sat, Jun 09, 2001 at 09:35:18AM -0500, Karen Cravens ([EMAIL PROTECTED]) spew-ed
forth:
> On 9 Jun 2001, at 7:10, Randal L. Schwartz wrote:
>
> > But that doesn't matter. If you don't plan for it, someone will
> > create a path with a newline to DELIBERATELY break your code
> > and potential
On 9 Jun 2001, at 7:10, Randal L. Schwartz wrote:
> But that doesn't matter. If you don't plan for it, someone will
> create a path with a newline to DELIBERATELY break your code
> and potentially open up a security hole.
Harrumph. If someone is creating paths on *my* system (yes,
even under
> "Jeff" == Jeff Yoak <[EMAIL PROTECTED]> writes:
Jeff> At 05:11 PM 6/8/01 -0500, Karen Cravens wrote:
>> On 8 Jun 2001, at 14:33, Randal L. Schwartz wrote:
>>
>> > No, because newlines are the delimiters for sh's "read" operator.
>>
>> Is it just me, or does anyone else think newlines in f
At 05:11 PM 6/8/01 -0500, Karen Cravens wrote:
>On 8 Jun 2001, at 14:33, Randal L. Schwartz wrote:
>
> > No, because newlines are the delimiters for sh's "read" operator.
>
>Is it just me, or does anyone else think newlines in filenames are
>Evil Incarnate regardless?
It's not just you. :-)
Che
On 8 Jun 2001, at 14:33, Randal L. Schwartz wrote:
> No, because newlines are the delimiters for sh's "read" operator.
Is it just me, or does anyone else think newlines in filenames are
Evil Incarnate regardless?
--
Karen J. Cravens ([EMAIL PROTECTED])
At 02:33 PM 6/8/01 -0700, Randal L. Schwartz wrote:
> > "Atul" == Atul Khot <[EMAIL PROTECTED]> writes:
>
>Atul> Just out of curiosity ( and to learn more ), as you say,
>suppose a
>Atul> filename has an embedded newline in it. Referring to Mathew's solution,
>Atul> can't we somehow r
> "Atul" == Atul Khot <[EMAIL PROTECTED]> writes:
Atul> Just out of curiosity ( and to learn more ), as you say, suppose a
Atul> filename has an embedded newline in it. Referring to Mathew's solution,
Atul> can't we somehow read that as a single filename and operate on it?
Atul> Sp
> "Mathew" == Mathew Hennessy <[EMAIL PROTECTED]> writes:
Mathew> Fair enough, though for truly oneoff stuff find |while read is
still my
Mathew> friend...
Mathew> find ./ -type f -name *.bak -mtime +30 |while read f; do echo
"removing
Mathew> [$f]"; rm -f $f; done
Mathew> (on solaris)
Ma
25 matches
Mail list logo
