Re: [Fwd: HUGE BUG! Any user can read any file on the system (if he has the required rights)]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> For the sake of completeness, if you did that, you'd have to exclude
the
> following attempts as well:
>
>   "../../../../../../etc/passwd"
>   "./../../../../../etc/passwd"

Well, for complete completeness, you should use the string checks that
are in cvs already, which Lewis mentioned on the main list. They need to
check for any occurrence of '../' or the first character being '/', and
if either of those are the case, they need to just ignore the 'mailbox'
settings and use the Inbox.

-r3-