Hi Toralf,
First off, I rather like your approach to configuration files.
Good ;-)
A little research shows that the explicit test was introduced to plug
a security hole reported by PERL... See BUG #1353481 for more
information.
I see...
[ ... ]
I'm proposing an alternate solution to our mutual problems:
Sanitize file name by simply rejecting any '..' path component
in a configuration name.
Right. Of course ".." might be used in clever ways to do some evil.
Never thought of that.
This should allow any arbitrary character in the configuration name
and prevent any attempts to use a configuration outside of the
amanda configuration directory.
Toralf: will this work for you?
Yes, this will be quite all right with me.
- Toralf
|