On Tue, Oct 17, 2006 at 10:21:42PM -0500, Peter Karman wrote:
> Like most things Unix, I think we need to give users enough rope to hang 
> themselves. If they want to 'rm -rf /' in their FileFilter configuration, I 
> don't want to stop them. After all, swish-e config files are used for 
> indexing only, not searching, so there's no chance of unknown users 

I think you did not understand the security problem: 
1- imagine swish-e running as root under a cron which indexes users files
2- a user has strange files like "test.pdf;rm -rf /" or better "test & reboot .pdf"

Then your server will reboot or your files will be erased !

This potential security bug was 1st reported on the Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357239

Cheers,

-- 
Ludovic Drolez.

http://zaurus.palmopensource.com       - The Zaurus Open Source Portal
http://www.drolez.com      - Personal site - Linux, Zaurus and PalmOS stuff