[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phpmyadmin / CVE-2016-5739.patch

Ola Lundqvist <ola@inguza.com> writes:

> My conclusion however is about the same as you. I do not think many are
> using the transformations so I think we can safely remove that.
> Another option is to make a check for .. in the filename, because I think
> we can safely assume an attacher do not have write permission in the
> plugins directory, or can that be a problem too?

I would think this should work too. If we are sure we are 100%
preventing an attacker "escaping" the plugins directory that is.
Brian May <bam@debian.org>

Reply to: