[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch]
From: |
Larry Jones |
Subject: |
[Cvs-dev] Re: [Cvs-cvs] ccvs ChangeLog NEWS [cvs1-11-x-branch] |
Date: |
Tue, 29 Aug 2006 15:49:52 -0400 (EDT) |
Derek R. Price writes:
>
> Larry Jones wrote:
> >
> > path. Have we already normalized or forbidden /../?
>
> Not really. The server verifies that there are not enough /../ to step
> above the top of its temp dir, but other than that, it is allowed.
Ah, that opens up a can of worms, then. It would seem that "/../"
should also be normalized for similar reasons to why "/./" should, but
it's tricky in the presence of symlinks since "/a/b/../" isn't
necessarily the same as "/a/" if "b" is a symlink. So, you really need
to expand symlinks during normalization, but that violates the rule that
messages comming out should match what the user put in even more than
just normalizing "//" and "/./" does.
-Larry Jones
I hate being good. -- Calvin