Re: phpmyadmin / CVE-2016-5739.patch

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: phpmyadmin / CVE-2016-5739.patch
From: Brian May <bam@debian.org>
Date: Sat, 29 Dec 2018 09:54:27 +1100
Message-id: <[🔎] 874laxi7oc.fsf@silverfish.pri>
In-reply-to: <[🔎] CABY6=0ko-FHvn+md-P95iWRT3kGzoO-NUirL7oMZFy6YcCYemQ@mail.gmail.com>
References: <[🔎] 87tvjbibg6.fsf@silverfish.pri> <[🔎] CABY6=0ko-FHvn+md-P95iWRT3kGzoO-NUirL7oMZFy6YcCYemQ@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> My conclusion however is about the same as you. I do not think many are
> using the transformations so I think we can safely remove that.
> Another option is to make a check for .. in the filename, because I think
> we can safely assume an attacher do not have write permission in the
> plugins directory, or can that be a problem too?

I would think this should work too. If we are sure we are 100%
preventing an attacker "escaping" the plugins directory that is.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: phpmyadmin / CVE-2016-5739.patch
  - From: Ola Lundqvist <ola@inguza.com>

References:
- phpmyadmin / CVE-2016-5739.patch
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: phpmyadmin / CVE-2016-5739.patch
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: phpmyadmin / CVE-2018-19968
Next by Date: Re: MySQL 5.5 EOL before Debian 8 LTS ends
Previous by thread: Re: phpmyadmin / CVE-2016-5739.patch
Next by thread: Re: phpmyadmin / CVE-2016-5739.patch
Index(es):
- Date
- Thread