Re: download.pl lets arbitrary stuff through

To: "Bernhard R. Link" <brlink@debian.org>
Cc: debian-www@lists.debian.org
Subject: Re: download.pl lets arbitrary stuff through
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Mon, 11 Dec 2006 21:03:47 +0100
Message-id: <[🔎] 20061211200347.GA12277@javifsp.no-ip.org>
Mail-followup-to: "Bernhard R. Link" <brlink@debian.org>, debian-www@lists.debian.org
In-reply-to: <[🔎] 20061211191711.GA2448@pcpool00.mathematik.uni-freiburg.de>
References: <[🔎] 20061211191711.GA2448@pcpool00.mathematik.uni-freiburg.de>

On Mon, Dec 11, 2006 at 08:17:11PM +0100, Bernhard R. Link wrote:
> I was just made aware, that
> http://packages.debian.org/cgi-bin/download.pl
> is very liberate in putting arbitrary stuff in the website,
> try for example:
> 
> http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";></a><javascript><a href="&md5sum=<br><b>ups</b>&type=main
> 
> I think it should really only let characters save for filename
> (Debian packages are [A-Za-z0-9_.+~:-] I think) through for files
> and best ommit the md5sum completely if it is that easy to fake.

Fixed and uploaded, see #402631.

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: download.pl lets arbitrary stuff through
  - From: Stefan Scheler <stefan@scheler.com>

References:
- download.pl lets arbitrary stuff through
  - From: "Bernhard R. Link" <brlink@debian.org>

Prev by Date: download.pl lets arbitrary stuff through
Next by Date: Re: download.pl lets arbitrary stuff through
Previous by thread: download.pl lets arbitrary stuff through
Next by thread: Re: download.pl lets arbitrary stuff through
Index(es):
- Date
- Thread