On Tue, Oct 17, 2006 at 10:21:42PM -0500, Peter Karman wrote:
> Like most things Unix, I think we need to give users enough rope to hang
> themselves. If they want to 'rm -rf /' in their FileFilter configuration, I
> don't want to stop them. After all, swish-e config files are used for
> indexing only, not searching, so there's no chance of unknown users
I think you did not understand the security problem:
1- imagine swish-e running as root under a cron which indexes users files
2- a user has strange files like "test.pdf;rm -rf /" or better "test & reboot .pdf"
Then your server will reboot or your files will be erased !
This potential security bug was 1st reported on the Debian BTS:
http://zaurus.palmopensource.com - The Zaurus Open Source Portal
http://www.drolez.com - Personal site - Linux, Zaurus and PalmOS stuff
Received on Wed Oct 18 08:29:31 2006