Ludovic Drolez scribbled on 10/18/06 10:27 AM:
> On Tue, Oct 17, 2006 at 10:21:42PM -0500, Peter Karman wrote:
>> Like most things Unix, I think we need to give users enough rope to hang
>> themselves. If they want to 'rm -rf /' in their FileFilter configuration, I
>> don't want to stop them. After all, swish-e config files are used for
>> indexing only, not searching, so there's no chance of unknown users
> I think you did not understand the security problem:
> 1- imagine swish-e running as root under a cron which indexes users files
> 2- a user has strange files like "test.pdf;rm -rf /" or better "test & reboot .pdf"
> Then your server will reboot or your files will be erased !
> This potential security bug was 1st reported on the Debian BTS:
ah yes, I see now.
/hits side of head
swish-e running as root doesn't seem like a Good Idea anyway, but I can see what
you're saying: malicious file names can Do Harm.
ok, I'm convinced.
Peter Karman . http://peknet.com/ . peter(at)not-real.peknet.com
Received on Wed Oct 18 11:57:34 2006