Retain orig. filename as suffix for tmp. filename

Pavel Roskin proski at gnu.org
Tue Mar 11 00:43:02 UTC 2003


Hello, Adam!

> I've applied your patch with minimal changes.  Thank you!

Actually, your patch has created a security hole, but not where I
expected.  extfs_cmd() doesn't quote the local filename.  It was OK
before.  But since the local name is now based on the entry name, it must
be quoted.

Try opening in the viewer a file inside a zip archive if that file
contains "&" in the filename.

touch "run&xterm"
zip exploit.zip "run&xterm"

Now look inside :-)

Fortunately, version 4.6.0 is not affected, or I would have to make an
emergency release.  If anybody is running CVS mc or a post-4.6.0 snapshot
and security is of any concern, upgrade to the current snapshot or CVS is
highly recommended.

-- 
Regards,
Pavel Roskin



More information about the mc-devel mailing list