Ludovic Drolez scribbled on 10/18/06 10:27 AM:
> On Tue, Oct 17, 2006 at 10:21:42PM -0500, Peter Karman wrote:
>> Like most things Unix, I think we need to give users enough rope to hang 
>> themselves. If they want to 'rm -rf /' in their FileFilter configuration, I 
>> don't want to stop them. After all, swish-e config files are used for 
>> indexing only, not searching, so there's no chance of unknown users 
> 
> I think you did not understand the security problem: 
> 1- imagine swish-e running as root under a cron which indexes users files
> 2- a user has strange files like "test.pdf;rm -rf /" or better "test & reboot .pdf"
> 
> Then your server will reboot or your files will be erased !
> 
> This potential security bug was 1st reported on the Debian BTS:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357239
> 


ah yes, I see now.

/hits side of head

swish-e running as root doesn't seem like a Good Idea anyway, but I can see what 
you're saying: malicious file names can Do Harm.

ok, I'm convinced.

-- 
Peter Karman  .  http://peknet.com/  .  peter(at)not-real.peknet.com