[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] Re: trustservernames patch

From: Jochen Roderburg
Subject: [Bug-wget] Re: trustservernames patch
Date: Sun, 01 Aug 2010 11:17:02 +0200
User-agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.4)

I have been trying out the current development version with the trustservernames patch and soon found out that this really breaks many downloads (e.g. most URLs for sourceforge) and most certainly will be an option that I will set permanently to on with my wget usage.

OTOH I also saw that the patch as such is not yet complete and does not yet cover all aspects of the underlying problem. It seems that setting contentdisposition=on (what I also have permanently in my wget configuration) circumvents the patch. Not only when a Content-Disposition header is actually used, just the active option is sufficient for this. But further thinking shows that actually the whole contentdisposition feature has the same vulnerability as the redirect case, this is also a case where a remote server can set the filename which is locally used by wget.

So I think: to make the patch complete trustservernames=off must also imply contentdisposition=off.
Or you invent another separate option for the contentdisposition case.

In my own personal wget version I will set all these options to on, because I usually want the filenames that are suggested from the server side. I will even set these as defaults in the source, because setting them in some wgetrc configuration file creates another backward-compatibility problem with such new options: older program versions which do not know the options don't run any longer. And I also want to use those occasionally, for tests or comparisons or when I want to use some feature which has disappeared in newer versions.

Best regards,

Jochen Roderburg
University of Cologne
Robert-Koch-Str. 10                    Tel.:   +49-221/478-7024
D-50931 Koeln                          E-Mail: address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]