also sprach Alun Jones <alun@texis.com> [2002.04.04.0445 +0200]: > > DenyFilter \*.*/ > > Just as a quick question, why not deny the string "/../" (you may have to > deny the regex "/\.\./", depending how the filter in question works)? quick answer: because i merely copied the fix from the security pages of the proftpd homepage [1]. 1. http://proftpd.linux.co.uk/critbugs.html > As far as I can tell, it's the ability to embed "/../" into a path that is > at the root of this, far more than the ability to embed wildcards. I can't > think of a situation in which "/../" should appear in a user-supplied path, > except after a string of repeated "../"s. i actually agree with you here. > "[^/.].*/\.\./" mh, this would not prevent /some/.dotdir/../ right? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck to vacillate or not to vacillate, that is the question ... or is it?
Attachment:
pgpW_R3XTLZ6H.pgp
Description: PGP signature