Skip to main content.
home | support | download

Back to List Archive

Re: SWISH-E 2.4.4 filters can not locate files

From: Ludovic Drolez <ldrolez(at)not-real.debian.org>
Date: Wed Oct 18 2006 - 15:27:42 GMT
On Tue, Oct 17, 2006 at 10:21:42PM -0500, Peter Karman wrote:
> Like most things Unix, I think we need to give users enough rope to hang 
> themselves. If they want to 'rm -rf /' in their FileFilter configuration, I 
> don't want to stop them. After all, swish-e config files are used for 
> indexing only, not searching, so there's no chance of unknown users 

I think you did not understand the security problem: 
1- imagine swish-e running as root under a cron which indexes users files
2- a user has strange files like "test.pdf;rm -rf /" or better "test & reboot .pdf"

Then your server will reboot or your files will be erased !

This potential security bug was 1st reported on the Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357239

Cheers,

-- 
Ludovic Drolez.

http://zaurus.palmopensource.com       - The Zaurus Open Source Portal
http://www.drolez.com      - Personal site - Linux, Zaurus and PalmOS stuff
Received on Wed Oct 18 08:29:31 2006