[Bug-wget] Re: trustservernames patch

[Jochen Roderburg]

I have been trying out the current development version with the  
trustservernames patch and soon found out that this really breaks many  
downloads (e.g. most URLs for sourceforge) and most certainly will be  
an option that I will set permanently to on with my wget usage.

OTOH I also saw that the patch as such is not yet complete and does  
not yet cover all aspects of the underlying problem.
It seems that setting contentdisposition=on (what I also have  
permanently in my wget configuration) circumvents the patch. Not only  
when a Content-Disposition header is actually used, just the active  
option is sufficient for this.
But further thinking shows that actually the whole contentdisposition  
feature has the same vulnerability as the redirect case, this is also  
a case where a remote server can set the filename which is locally  
used by wget.

So I think: to make the patch complete trustservernames=off must also  
imply contentdisposition=off.
Or you invent another separate option for the contentdisposition case.

In my own personal wget version I will set all these options to on,  
because I usually want the filenames that are suggested from the  
server side. I will even set these as defaults in the source, because  
setting them in some wgetrc configuration file creates another  
backward-compatibility problem with such new options: older program  
versions which do not know the options don't run any longer. And I  
also want to use those occasionally, for tests or comparisons or when  
I want to use some feature which has disappeared in newer versions.

Best regards,

Jochen Roderburg
RRZK
University of Cologne
Robert-Koch-Str. 10                    Tel.:   +49-221/478-7024
D-50931 Koeln                          E-Mail: address@hidden
Germany