Retain orig. filename as suffix for tmp. filename
Pavel Roskin
proski at gnu.org
Tue Mar 11 00:43:02 UTC 2003
Hello, Adam!
> I've applied your patch with minimal changes. Thank you!
Actually, your patch has created a security hole, but not where I
expected. extfs_cmd() doesn't quote the local filename. It was OK
before. But since the local name is now based on the entry name, it must
be quoted.
Try opening in the viewer a file inside a zip archive if that file
contains "&" in the filename.
touch "run&xterm"
zip exploit.zip "run&xterm"
Now look inside :-)
Fortunately, version 4.6.0 is not affected, or I would have to make an
emergency release. If anybody is running CVS mc or a post-4.6.0 snapshot
and security is of any concern, upgrade to the current snapshot or CVS is
highly recommended.
--
Regards,
Pavel Roskin
More information about the mc-devel
mailing list