John Franks wrote:

Hi Toralf,
First off, I rather like your approach to configuration files.

A little research shows that the explicit test was introduced to plug
a security hole reported by PERL... See BUG #1353481 for more information.

I'm piping in here, and expanding the audience to include amanda_hackers,
since the change seems to impact my work on allowing spaces in file names.
(Currently checked into sourceforge 2.5.1 branch.)

The current check is a little too strict and will strip out spaces and control

characters, all of which are valid according to POSIX rules.
(POSIX allows any character except '/' or NULL is allowable.)

I'm proposing an alternate solution to our mutual problems:
 Sanitize file name by simply rejecting any '..' path component
 in a configuration name.

This should allow any arbitrary character in the configuration name
and prevent any attempts to use a configuration outside of the
amanda configuration directory.

Toralf: will this work for you?
Hackers: will this pass security muster?

Hi John,

--
Thank you!
Kevin Till

Amanda documentation: http://wiki.zmanda.com
Amanda forums:        http://forums.zmanda.com